@etree/cli 2.0.1

package/src/commands/member.ts

@@ -0,0 +1,146 @@
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import { api } from "../lib/api";
+
+/**
+ * Helper: find a wallet ID by name from the user's wallets.
+ */
+async function findWalletId(name: string): Promise<string | null> {
+  const result = await api.get("/wallets");
+  const owned = result.owned.find((w: any) => w.name === name);
+  if (owned) return owned.id;
+  const shared = result.shared.find((w: any) => w.name === name);
+  if (shared) return shared.id;
+  return null;
+}
+
+export function registerMemberCommands(program: Command): void {
+  const member = program.command("member").description("Manage wallet members");
+
+  // ── member add ──
+  member
+    .command("add <wallet> <username>")
+    .description("Add a member to a wallet")
+    .option("-r, --role <role>", "Role: admin, read, write", "read")
+    .action(
+      async (walletName: string, username: string, opts: { role: string }) => {
+        const spinner = ora("Adding member...").start();
+        try {
+          const walletId = await findWalletId(walletName);
+          if (!walletId) {
+            spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+            return;
+          }
+
+          const result = await api.post(`/wallets/${walletId}/members`, {
+            username,
+            role: opts.role,
+          });
+
+          spinner.succeed(
+            chalk.green(
+              `Added "${username}" as ${opts.role} to "${walletName}"`,
+            ),
+          );
+
+          if (result.public_key) {
+            console.log(
+              chalk.dim(
+                `   Their public key: ${result.public_key.substring(0, 20)}...`,
+              ),
+            );
+            console.log(
+              chalk.yellow(
+                "   ⚠ Remember to re-encrypt secrets for this user:",
+              ),
+            );
+            console.log(
+              chalk.yellow(`     envtree secret share ${walletName}`),
+            );
+          }
+        } catch (err: any) {
+          spinner.fail(chalk.red(`Failed: ${err.message}`));
+        }
+      },
+    );
+
+  // ── member list ──
+  member
+    .command("list <wallet>")
+    .alias("ls")
+    .description("List members of a wallet")
+    .action(async (walletName: string) => {
+      const spinner = ora("Fetching members...").start();
+      try {
+        const walletId = await findWalletId(walletName);
+        if (!walletId) {
+          spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+          return;
+        }
+
+        const result = await api.get(`/wallets/${walletId}/members`);
+        spinner.stop();
+
+        console.log(chalk.bold(`\nMembers of "${walletName}"`));
+
+        // Owner
+        if (result.owner) {
+          console.log(
+            `   ${chalk.cyan(result.owner.username)} ${chalk.dim(`(${result.owner.email})`)} ${chalk.green("[owner]")}`,
+          );
+        }
+
+        // Members
+        if (result.members && result.members.length > 0) {
+          for (const m of result.members) {
+            const roleColor =
+              m.role === "admin"
+                ? chalk.magenta
+                : m.role === "write"
+                  ? chalk.blue
+                  : chalk.dim;
+            console.log(
+              `   ${chalk.cyan(m.user.username)} ${chalk.dim(`(${m.user.email})`)} ${roleColor(`[${m.role}]`)}`,
+            );
+          }
+        } else {
+          console.log(chalk.dim("   No additional members"));
+        }
+        console.log("");
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+
+  // ── member remove ──
+  member
+    .command("remove <wallet> <username>")
+    .description("Remove a member from a wallet")
+    .action(async (walletName: string, username: string) => {
+      const spinner = ora("Removing member...").start();
+      try {
+        const walletId = await findWalletId(walletName);
+        if (!walletId) {
+          spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+          return;
+        }
+
+        // Look up user ID by username
+        const profileResult = await api.get(`/profile/${username}`);
+        if (!profileResult.profile) {
+          spinner.fail(chalk.red(`User "${username}" not found`));
+          return;
+        }
+
+        await api.delete(
+          `/wallets/${walletId}/members/${profileResult.profile.id}`,
+        );
+        spinner.succeed(
+          chalk.green(`Removed "${username}" from "${walletName}"`),
+        );
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+}

package/src/commands/secret.ts

@@ -0,0 +1,381 @@
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import { api } from "../lib/api";
+import { encrypt, decrypt, shutdown } from "../lib/crypto";
+import { requirePrivateKey } from "../lib/key-store";
+import { updateEnvFile, ensureGitIgnore } from "../lib/env-manager";
+
+/**
+ * Helper: find a wallet ID by name.
+ */
+async function findWalletId(name: string): Promise<string | null> {
+  const result = await api.get("/wallets");
+  const owned = result.owned.find((w: any) => w.name === name);
+  if (owned) return owned.id;
+  const shared = result.shared.find((w: any) => w.name === name);
+  if (shared) return shared.id;
+  return null;
+}
+
+/**
+ * Get all public keys of wallet members (owner + members).
+ */
+async function getWalletPublicKeys(walletId: string): Promise<string[]> {
+  const result = await api.get(`/wallets/${walletId}/members`);
+  const keys: string[] = [];
+
+  if (result.owner?.public_key) {
+    keys.push(result.owner.public_key);
+  }
+
+  if (result.members) {
+    for (const m of result.members) {
+      if (m.user?.public_key) {
+        keys.push(m.user.public_key);
+      }
+    }
+  }
+
+  return keys;
+}
+
+/**
+ * Shared logic for pushing a secret (used by `secret set` and top-level `push`).
+ */
+export async function pushSecret(
+  walletName: string,
+  keyName: string,
+  value: string,
+): Promise<void> {
+  const spinner = ora("Encrypting and saving secret...").start();
+  try {
+    const walletId = await findWalletId(walletName);
+    if (!walletId) {
+      spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+      return;
+    }
+
+    spinner.text = "Fetching member public keys...";
+    const publicKeys = await getWalletPublicKeys(walletId);
+
+    if (publicKeys.length === 0) {
+      spinner.fail(chalk.red("No members with public keys found"));
+      return;
+    }
+
+    spinner.text = `Encrypting for ${publicKeys.length} member(s)...`;
+    const secrets = [];
+    for (const pk of publicKeys) {
+      const ciphertext = await encrypt(value, pk);
+      secrets.push({
+        key_name: keyName,
+        encrypted_value: ciphertext,
+        encrypted_for: pk,
+      });
+    }
+
+    spinner.text = "Uploading encrypted secrets...";
+    await api.post(`/wallets/${walletId}/secrets`, { secrets });
+
+    spinner.succeed(
+      chalk.green(
+        `Secret "${keyName}" saved (encrypted for ${publicKeys.length} member(s))`,
+      ),
+    );
+  } catch (err: any) {
+    spinner.fail(chalk.red(`Failed: ${err.message}`));
+  } finally {
+    shutdown();
+  }
+}
+
+/**
+ * Shared logic for pulling secrets (used by `secret pull` and top-level `pull`).
+ */
+export async function pullSecrets(
+  walletName: string,
+  opts: { output?: string; sync?: boolean },
+): Promise<void> {
+  const privateKey = requirePrivateKey();
+  const spinner = ora("Pulling secrets...").start();
+  try {
+    const walletId = await findWalletId(walletName);
+    if (!walletId) {
+      spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+      return;
+    }
+
+    const result = await api.get(`/wallets/${walletId}/secrets`);
+
+    if (result.secrets.length === 0) {
+      spinner.warn(chalk.yellow(`No secrets found in wallet "${walletName}"`));
+      return;
+    }
+
+    spinner.text = `Decrypting ${result.secrets.length} secret(s)...`;
+
+    const lines: string[] = [];
+    lines.push(`# EnvTree — ${walletName}`);
+    lines.push(`# Generated at ${new Date().toISOString()}`);
+    lines.push("");
+
+    const decrypted: { key: string; value: string }[] = [];
+    for (const secret of result.secrets) {
+      try {
+        const plaintext = await decrypt(secret.encrypted_value, privateKey);
+        lines.push(`${secret.key_name}=${plaintext}`);
+        decrypted.push({ key: secret.key_name, value: plaintext });
+      } catch {
+        lines.push(`# FAILED TO DECRYPT: ${secret.key_name}`);
+      }
+    }
+
+    const outputStr = lines.join("\n") + "\n";
+
+    if (opts.sync) {
+      // Sync directly into the local .env
+      spinner.text = "Syncing secrets to .env...";
+      for (const { key, value } of decrypted) {
+        updateEnvFile(key, value);
+      }
+      ensureGitIgnore(".env");
+      spinner.succeed(
+        chalk.green(
+          `${decrypted.length} secret(s) synced to .env`,
+        ),
+      );
+    } else if (opts.output) {
+      const fs = require("fs");
+      fs.writeFileSync(opts.output, outputStr);
+      spinner.succeed(
+        chalk.green(
+          `${result.secrets.length} secret(s) written to ${opts.output}`,
+        ),
+      );
+    } else {
+      spinner.stop();
+      console.log(outputStr);
+    }
+  } catch (err: any) {
+    spinner.fail(chalk.red(`Failed: ${err.message}`));
+  } finally {
+    shutdown();
+  }
+}
+
+export function registerSecretCommands(program: Command): void {
+  const secret = program
+    .command("secret")
+    .description("Manage encrypted secrets");
+
+  // ── secret set ──
+  secret
+    .command("set <wallet> <key> <value>")
+    .description("Encrypt & store a secret for all wallet members")
+    .action(pushSecret);
+
+  // ── secret update ──
+  secret
+    .command("update <wallet> <key> <value>")
+    .description("Update an existing secret's value (re-encrypts for all members)")
+    .action(pushSecret);
+
+  // ── secret get ──
+  secret
+    .command("get <wallet> <key>")
+    .description("Decrypt and display a specific secret")
+    .option("-s, --save", "Save the value to your local .env file")
+    .action(
+      async (
+        walletName: string,
+        keyName: string,
+        opts: { save?: boolean },
+      ) => {
+        const privateKey = requirePrivateKey();
+        const spinner = ora("Fetching and decrypting...").start();
+        try {
+          const walletId = await findWalletId(walletName);
+          if (!walletId) {
+            spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+            return;
+          }
+
+          const result = await api.get(`/wallets/${walletId}/secrets`);
+          const secret = result.secrets.find(
+            (s: any) => s.key_name === keyName,
+          );
+
+          if (!secret) {
+            spinner.fail(
+              chalk.red(
+                `Secret "${keyName}" not found in wallet "${walletName}"`,
+              ),
+            );
+            return;
+          }
+
+          spinner.text = "Decrypting...";
+          const plaintext = await decrypt(
+            secret.encrypted_value,
+            privateKey,
+          );
+
+          if (opts.save) {
+            spinner.text = "Saving to .env...";
+            updateEnvFile(keyName, plaintext);
+            ensureGitIgnore(".env");
+            spinner.succeed(
+              chalk.green(`Secret "${keyName}" saved to .env`),
+            );
+          } else {
+            spinner.stop();
+            console.log(`${chalk.cyan(keyName)}=${plaintext}`);
+          }
+        } catch (err: any) {
+          spinner.fail(chalk.red(`Failed: ${err.message}`));
+        } finally {
+          shutdown();
+        }
+      },
+    );
+
+  // ── secret list ──
+  secret
+    .command("list <wallet>")
+    .alias("ls")
+    .description("List all secret keys in a wallet")
+    .action(async (walletName: string) => {
+      const spinner = ora("Fetching secrets...").start();
+      try {
+        const walletId = await findWalletId(walletName);
+        if (!walletId) {
+          spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+          return;
+        }
+
+        const result = await api.get(`/wallets/${walletId}/secrets/all`);
+        spinner.stop();
+
+        if (result.keys.length === 0) {
+          console.log(chalk.yellow(`No secrets in wallet "${walletName}"`));
+          return;
+        }
+
+        console.log(chalk.bold(`\nSecrets in "${walletName}"`));
+        for (const key of result.keys) {
+          console.log(`   ${chalk.cyan(key)}`);
+        }
+        console.log(chalk.dim(`\n   ${result.keys.length} secret(s) total\n`));
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+
+  // ── secret pull ──
+  secret
+    .command("pull <wallet>")
+    .description("Pull and decrypt all secrets")
+    .option("-o, --output <file>", "Write to a file instead of stdout")
+    .option("--sync", "Sync all secrets directly to your local .env")
+    .action(
+      async (
+        walletName: string,
+        opts: { output?: string; sync?: boolean },
+      ) => {
+        await pullSecrets(walletName, opts);
+      },
+    );
+
+  // ── secret delete ──
+  secret
+    .command("delete <wallet> <key>")
+    .alias("rm")
+    .description("Delete a secret from a wallet")
+    .action(async (walletName: string, keyName: string) => {
+      const spinner = ora("Deleting secret...").start();
+      try {
+        const walletId = await findWalletId(walletName);
+        if (!walletId) {
+          spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+          return;
+        }
+
+        const result = await api.get(`/wallets/${walletId}/secrets`);
+        const secret = result.secrets.find(
+          (s: any) => s.key_name === keyName,
+        );
+
+        if (!secret) {
+          spinner.fail(chalk.red(`Secret "${keyName}" not found`));
+          return;
+        }
+
+        await api.delete(`/wallets/${walletId}/secrets/${secret.id}`);
+        spinner.succeed(
+          chalk.green(`Secret "${keyName}" deleted from "${walletName}"`),
+        );
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+
+  // ── secret share ──
+  secret
+    .command("share <wallet>")
+    .description("Re-encrypt all secrets for all current wallet members")
+    .action(async (walletName: string) => {
+      const privateKey = requirePrivateKey();
+      const spinner = ora(
+        "Re-encrypting secrets for all members...",
+      ).start();
+      try {
+        const walletId = await findWalletId(walletName);
+        if (!walletId) {
+          spinner.fail(chalk.red(`Wallet "${walletName}" not found`));
+          return;
+        }
+
+        const mySecrets = await api.get(`/wallets/${walletId}/secrets`);
+        if (mySecrets.secrets.length === 0) {
+          spinner.warn(chalk.yellow("No secrets to share"));
+          return;
+        }
+
+        const publicKeys = await getWalletPublicKeys(walletId);
+
+        spinner.text = `Re-encrypting ${mySecrets.secrets.length} secret(s) for ${publicKeys.length} member(s)...`;
+
+        const allSecrets = [];
+        for (const secret of mySecrets.secrets) {
+          const plaintext = await decrypt(
+            secret.encrypted_value,
+            privateKey,
+          );
+
+          for (const pk of publicKeys) {
+            const ciphertext = await encrypt(plaintext, pk);
+            allSecrets.push({
+              key_name: secret.key_name,
+              encrypted_value: ciphertext,
+              encrypted_for: pk,
+            });
+          }
+        }
+
+        await api.post(`/wallets/${walletId}/secrets`, {
+          secrets: allSecrets,
+        });
+
+        spinner.succeed(
+          chalk.green(
+            `${mySecrets.secrets.length} secret(s) re-encrypted for ${publicKeys.length} member(s)`,
+          ),
+        );
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      } finally {
+        shutdown();
+      }
+    });
+}

package/src/commands/shortcuts.ts

@@ -0,0 +1,25 @@
+import { Command } from "commander";
+import { pushSecret, pullSecrets } from "./secret";
+
+/**
+ * Register top-level shortcut commands:
+ *   et push <wallet> <key> <value>  →  secret set
+ *   et pull <wallet>                →  secret pull --sync
+ */
+export function registerShortcuts(program: Command): void {
+  // ── et push ──
+  program
+    .command("push <wallet> <key> <value>")
+    .description("Shortcut: Encrypt & store a secret (same as: secret set)")
+    .action(pushSecret);
+
+  // ── et pull ──
+  program
+    .command("pull <wallet>")
+    .description("Shortcut: Sync all secrets to local .env (same as: secret pull --sync)")
+    .option("-o, --output <file>", "Write to a file instead of syncing to .env")
+    .action(async (walletName: string, opts: { output?: string }) => {
+      // Default behavior: --sync (write to .env)
+      await pullSecrets(walletName, { sync: !opts.output, output: opts.output });
+    });
+}

package/src/commands/wallet.ts

@@ -0,0 +1,97 @@
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import { api } from "../lib/api";
+
+export function registerWalletCommands(program: Command): void {
+  const wallet = program.command("wallet").description("Manage key wallets");
+
+  // ── wallet create ──
+  wallet
+    .command("create <name>")
+    .description("Create a new key wallet")
+    .option("-d, --description <desc>", "Wallet description")
+    .action(async (name: string, opts: { description?: string }) => {
+      const spinner = ora("Creating wallet...").start();
+      try {
+        const result = await api.post("/wallets", {
+          name,
+          description: opts.description,
+        });
+        spinner.succeed(chalk.green(`Wallet "${name}" created`));
+        console.log(chalk.dim(`   ID: ${result.wallet.id}`));
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+
+  // ── wallet list ──
+  wallet
+    .command("list")
+    .alias("ls")
+    .description("List all your wallets")
+    .action(async () => {
+      const spinner = ora("Fetching wallets...").start();
+      try {
+        const result = await api.get("/wallets");
+        spinner.stop();
+
+        if (result.owned.length === 0 && result.shared.length === 0) {
+          console.log(
+            chalk.yellow(
+              "No wallets found. Create one with: envtree wallet create <name>",
+            ),
+          );
+          return;
+        }
+
+        if (result.owned.length > 0) {
+          console.log(chalk.bold("\nOwned Wallets"));
+          for (const w of result.owned) {
+            console.log(
+              `   ${chalk.cyan(w.name)} ${chalk.dim(`(${w.id.substring(0, 8)}...)`)}`,
+            );
+            if (w.description) console.log(`      ${chalk.dim(w.description)}`);
+          }
+        }
+
+        if (result.shared.length > 0) {
+          console.log(chalk.bold("\nShared Wallets"));
+          for (const w of result.shared) {
+            console.log(
+              `   ${chalk.cyan(w.name)} ${chalk.dim(`[${w.role}]`)} ${chalk.dim(`(${w.id?.substring(0, 8)}...)`)}`,
+            );
+          }
+        }
+        console.log("");
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+
+  // ── wallet delete ──
+  wallet
+    .command("delete <name>")
+    .description("Delete a wallet (owner only)")
+    .action(async (name: string) => {
+      const spinner = ora("Finding wallet...").start();
+      try {
+        // Find wallet by name
+        const listResult = await api.get("/wallets");
+        const target = listResult.owned.find((w: any) => w.name === name);
+
+        if (!target) {
+          spinner.fail(
+            chalk.red(`Wallet "${name}" not found or you are not the owner`),
+          );
+          return;
+        }
+
+        spinner.text = "Deleting wallet...";
+        await api.delete(`/wallets/${target.id}`);
+        spinner.succeed(chalk.green(`Wallet "${name}" deleted`));
+      } catch (err: any) {
+        spinner.fail(chalk.red(`Failed: ${err.message}`));
+      }
+    });
+}

package/src/index.ts

@@ -0,0 +1,50 @@
+#!/usr/bin/env node
+
+import { Command } from "commander";
+import { registerAuthCommands } from "./commands/auth";
+import { registerWalletCommands } from "./commands/wallet";
+import { registerMemberCommands } from "./commands/member";
+import { registerSecretCommands } from "./commands/secret";
+import { registerInitCommand } from "./commands/init";
+import { registerConfigCommands } from "./commands/config";
+import { registerShortcuts } from "./commands/shortcuts";
+
+const program = new Command();
+
+program
+  .name("et")
+  .description("EnvTree — Securely manage and share environment variables")
+  .version("1.0.0")
+  .addHelpText(
+    "after",
+    `
+Quick Start:
+  $ et init                              First-time setup (signup/login)
+  $ et push <wallet> <key> <value>       Encrypt & store a secret
+  $ et pull <wallet>                     Sync all secrets to local .env
+  $ et whoami                            Check current user
+
+Examples:
+  $ et init
+  $ et push production DB_URL "postgres://..."
+  $ et pull production
+  $ et pull production -o .env.production
+  $ et secret list production
+  $ et member add production alice --role write
+`,
+  );
+
+// Core commands
+registerAuthCommands(program);
+registerInitCommand(program);
+registerConfigCommands(program);
+
+// Resource commands
+registerWalletCommands(program);
+registerMemberCommands(program);
+registerSecretCommands(program);
+
+// Top-level shortcuts
+registerShortcuts(program);
+
+program.parse(process.argv);