@keywaysh/cli 0.0.3 → 0.0.4

package/README.md

@@ -1,50 +1,82 @@
-# Keyway CLI
-
-> GitHub-native secrets manager for dev teams
+<div align="center">
+  <h1>Keyway CLI</h1>
+  <strong>The simplest way to sync your project's environment variables.</strong><br/>
+  Stop sending <code>.env</code> files on Slack. One command and you're in sync.
+  <br/><br/>
+  <a href="https://keyway.sh">keyway.sh</a> ·
+  <a href="https://github.com/keywaysh/cli">GitHub</a> ·
+  <a href="https://www.npmjs.com/package/@keywaysh/cli">NPM</a>
+  <br/><br/>
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![npm version](https://badge.fury.io/js/%40keywaysh%2Fcli.svg)](https://www.npmjs.com/package/@keywaysh/cli)
 
-## Installation
+</div>
+
+## Why Keyway?
+
+Most devs store secrets in... chaotic places:
+
+- Slack
+- Notion
+- Discord
+- Google Docs
+- Lost `.env` files
+- Messages you can't find anymore
+- Machine of the dev who left the project
+
+**Keyway fixes that.**
+
+If you have GitHub access to a repo → you have access to its secrets.
+No invites. No dashboards. No complex config.
+Just one command that works.
+
+## Install
 
 ```bash
-npm install @keywaysh/cli -g
+npm install -g @keywaysh/cli
 ```
 
 ## Quick Start
 
+Inside any project connected to GitHub:
+
 ```bash
-# Authenticate and create your vault
 keyway login
 keyway init
+```
 
-# Push your secrets (defaults to .env; pick a file with --file)
-keyway push
+What happens:
 
-# On another machine, pull them back
+1. Keyway authenticates via GitHub OAuth
+2. Detects your GitHub repo
+3. Creates a vault for this repo
+4. Asks if you want to sync your `.env`
+
+Then any teammate can simply run:
+
+```bash
 keyway pull
 ```
 
+And boom: your `.env` is recreated locally.
+
 ## Commands
 
 ### `keyway login`
 
-Authenticate with GitHub through the Keyway OAuth/device flow and cache a session locally.
+Authenticate with GitHub through the Keyway OAuth/device flow.
 
 ```bash
 keyway login
 ```
 
-If you forget to log in, `init`, `push`, and `pull` will prompt you to authenticate (skip with `--no-login-prompt` in CI).
-
-Fine-grained PAT alternative:
+If you prefer using a fine-grained PAT:
 
 ```bash
 keyway login --token
 ```
 
-This opens GitHub to create a repo-scoped fine-grained PAT (metadata: read-only, no account permissions). Paste the `github_pat_...` token when prompted; the CLI validates and stores it.
-
 ### `keyway init`
 
 Initialize a vault for the current repository.
@@ -53,18 +85,15 @@ Initialize a vault for the current repository.
 keyway init
 ```
 
-**Requirements:**
-- Must be in a git repository
-- Repository must have a GitHub remote
-- Authenticated via `keyway login` (or provide `GITHUB_TOKEN`)
+Creates a vault, pushes your `.env`, and sets everything up.
 
 ### `keyway push`
 
-Upload secrets from a local env file to the vault.
+Push your local `.env` to the vault.
 
 ```bash
-# Push env file to development environment (default)
-keyway push --file .env
+# Push to development (default)
+keyway push
 
 # Push to a specific environment
 keyway push --env production
@@ -73,35 +102,36 @@ keyway push --env production
 keyway push --file .env.staging --env staging
 ```
 
-**Options:**
-- `-e, --env <environment>` - Environment name (default: "development")
-- `-f, --file <file>` - File to push (default file used if not provided)
+Useful when:
+- you added a new variable
+- you rotated a key
+- you fixed a staging/production mismatch
 
 ### `keyway pull`
 
-Download secrets from the vault to a local env file.
+Pull secrets from the vault and write them to `.env`.
 
 ```bash
-# Pull development environment to your env file (default path if omitted)
-keyway pull --file .env
+# Pull development environment (default)
+keyway pull
 
 # Pull from a specific environment
 keyway pull --env production
 
 # Pull to a different file
-keyway pull --file .env.local --env development
+keyway pull --file .env.local
 ```
 
-**Options:**
-- `-e, --env <environment>` - Environment name (default: "development")
-- `-f, --file <file>` - File to write to (default file used if not provided)
+Perfect for:
+- onboarding a new dev
+- syncing your local environment
+- switching between machines
 
 ### `keyway doctor`
 
-Run comprehensive environment diagnostics.
+Diagnostic command to check your setup.
 
 ```bash
-# Run all checks
 keyway doctor
 
 # Output as JSON (for CI/CD)
@@ -112,132 +142,106 @@ keyway doctor --strict
 ```
 
 **Checks performed:**
-- ✅ Node.js version (≥18.0.0 required)
-- ✅ Git installation and repository status
-- ✅ Network connectivity to API
-- ✅ File system write permissions
-- ✅ .gitignore configuration for environment files
+- Node.js version (≥18.0.0 required)
+- Git installation and repository status
+- API connectivity
+- File system write permissions
+- `.gitignore` configuration
+- System clock synchronization
 
-## Configuration
+### `keyway logout`
 
-### GitHub Token
-
-Keyway prefers the OAuth/device flow:
-
-```bash
-keyway login
-```
-
-This opens a browser (or gives you a code/URL) and stores a Keyway token in `~/.config/keyway/config.json`.
-
-If you cannot use the login flow, set a GitHub token manually:
-
-**Option 1: Environment Variable**
+Clear stored Keyway credentials.
 
 ```bash
-export GITHUB_TOKEN=your_github_personal_access_token
+keyway logout
 ```
 
-**Option 2: Git Config**
+## Security
 
-```bash
-git config --global github.token your_github_personal_access_token
-```
+Keyway is designed to be **simple and secure** — a major upgrade from Slack or Notion, without the complexity of Hashicorp Vault or AWS Secrets Manager.
 
-**Creating a GitHub Token:**
+**What we do:**
+- AES-256-GCM encryption server-side
+- TLS everywhere
+- GitHub read-only permissions
+- No access to your code
+- Secrets stored encrypted at rest
+- No analytics on secret values (only metadata)
 
-1. Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic)
-2. Click "Generate new token"
-3. Select scopes: `repo` (Full control of private repositories)
-4. Generate and copy the token
+**What we don't do:**
+- No zero-trust enterprise model
+- No access to your cloud infrastructure
+- No access to your production deployment keys
 
-### API URL
+More details: [keyway.sh/security](https://keyway.sh/security)
 
-By default, Keyway uses the production API at `https://keyway-backend-production.up.railway.app`. To point to another API:
+## Who is this for?
 
-```bash
-export KEYWAY_API_URL=http://localhost:3000
-```
+Keyway is perfect for:
+- Solo developers
+- Small teams
+- Side-projects
+- Early SaaS
+- Agencies managing many repos
+- Rapid prototyping
 
-### Analytics
+**Not designed for:**
+- Banks
+- Governments
+- Enterprise zero-trust teams
+  *(you're looking for Vault, Doppler, or AWS Secrets Manager)*
 
-Keyway uses PostHog for privacy-first analytics. To configure:
+## Example Workflow
 
 ```bash
-export KEYWAY_POSTHOG_KEY=your_posthog_key
-export KEYWAY_POSTHOG_HOST=https://app.posthog.com
+git clone git@github.com:acme/backend.git
+cd backend
+keyway pull
+# ✓ secrets pulled
+npm run dev
 ```
 
-Disable telemetry:
+Add a new secret:
 
 ```bash
-export KEYWAY_DISABLE_TELEMETRY=1
+echo "STRIPE_KEY=sk_live_xxx" >> .env
+keyway push
+# ✓ 1 secret updated
 ```
 
-The CLI ships with built-in analytics defaults; use the env vars above to override for development.
-
-**Privacy:** No secret names or values are ever sent to analytics.
-
-## How It Works
+## Configuration
 
-1. **Authentication**: Uses your GitHub token to verify identity
-2. **Authorization**: Checks if you're a collaborator/admin on the repository
-3. **Encryption**: All secrets are encrypted server-side with AES-256-GCM
-4. **Storage**: Encrypted secrets stored in PostgreSQL
-5. **Retrieval**: Secrets are decrypted and returned only to authorized users
+### GitHub Token (alternative to login)
 
-## Development
+If you cannot use the login flow, set a GitHub token manually:
 
 ```bash
-# Install dependencies
-npm install
-
-# Run in dev mode
-npm run dev
+# Environment variable
+export GITHUB_TOKEN=your_github_personal_access_token
 
-# Build
-npm run build
+# Or via git config
+git config --global github.token your_github_personal_access_token
+```
 
-# Watch mode
-npm run build:watch
+### API URL
 
-# Run tests
-npm test
+By default, Keyway uses the production API. To point to another API:
 
-# Test locally
-npm link
-keyway --version
+```bash
+export KEYWAY_API_URL=http://localhost:3000
 ```
 
-## Architecture
+### Disable Telemetry
 
-```
-src/
-├── cli.tsx          # Main CLI entry point with commander
-├── types.ts         # TypeScript types and interfaces
-├── ui/              # Ink React components
-│   ├── Banner.tsx   # Startup banner with gradient
-│   └── Spinner.tsx  # Loading spinner component
-├── cmds/            # Command implementations
-│   ├── init.ts      # Initialize vault
-│   ├── push.ts      # Push secrets
-│   ├── pull.ts      # Pull secrets
-│   └── doctor.tsx   # Environment diagnostics
-├── utils/           # Utility functions
-│   ├── analytics.ts # PostHog integration
-│   ├── api.ts       # API client
-│   └── git.ts       # Git helpers
-└── core/            # Core business logic
-    └── doctor.ts    # Doctor checks implementations
+```bash
+export KEYWAY_DISABLE_TELEMETRY=1
 ```
 
-## Privacy & Security
-
-### Analytics Safety
+## Privacy & Analytics
 
 **NEVER tracked:**
-- Secret names (e.g., `API_KEY`, `DATABASE_URL`)
-- Secret values
+- Secret names or values
 - Environment variable content
 - Access tokens
 - File contents
@@ -245,21 +249,13 @@ src/
 **Only tracked:**
 - Command usage (init, push, pull)
 - Repository names (public info)
-- Environment names (e.g., "production")
-- Number of variables (count only)
 - Error messages (sanitized)
-- Machine-specific anonymous ID
-
-### Distinct ID
-
-Each machine has a unique, anonymous identifier stored in `~/.config/keyway/id.json`. This ID is randomly generated and contains no personally identifiable information.
 
 ## Troubleshooting
 
 ### "Not in a git repository"
 
 ```bash
-# Initialize git and add a remote
 git init
 git remote add origin git@github.com:your-org/your-repo.git
 ```
@@ -267,14 +263,14 @@ git remote add origin git@github.com:your-org/your-repo.git
 ### "GitHub token not found"
 
 ```bash
-# Set your GitHub token
+keyway login
+# or
 export GITHUB_TOKEN=your_token
 ```
 
 ### "Vault not found"
 
 ```bash
-# Initialize the vault first
 keyway init
 ```
 
@@ -282,36 +278,24 @@ keyway init
 
 Make sure you're a collaborator or admin on the GitHub repository.
 
-### Disabling the Banner
+## TL;DR
 
 ```bash
-# Via command line flag
-keyway --no-banner doctor
-
-# Via environment variable
-export KEYWAY_NO_BANNER=1
-keyway doctor
+npm i -g @keywaysh/cli
+keyway login
+keyway init
+keyway pull
 ```
 
-## Publishing to npm
+No more Slack. No more outdated `.env`.
+Your team stays perfectly in sync.
 
-```bash
-# Update version
-npm version patch  # or minor, or major
-
-# Build
-npm run build
+## Support
 
-# Publish
-npm publish
-```
+- **Issues**: [github.com/keywaysh/cli/issues](https://github.com/keywaysh/cli/issues)
+- **Email**: unlock@keyway.sh
+- **Website**: [keyway.sh](https://keyway.sh)
 
 ## License
 
 MIT © Nicolas Ritouet
-
-## Support
-
-- **Issues**: https://github.com/keywaysh/cli/issues
-- **Email**: unlock@keyway.sh
-- **Website**: https://keyway.sh

package/dist/cli.js

@@ -106,47 +106,64 @@ async function initVault(repoFullName, accessToken) {
   if (accessToken) {
     headers.Authorization = `Bearer ${accessToken}`;
   }
-  const response = await fetch(`${API_BASE_URL}/vaults/init`, {
+  const response = await fetch(`${API_BASE_URL}/v1/vaults`, {
     method: "POST",
     headers,
     body: JSON.stringify(body)
   });
-  return handleResponse(response);
+  const result = await handleResponse(response);
+  return result.data;
+}
+function parseEnvContent(content) {
+  const result = {};
+  const lines = content.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.substring(0, eqIndex).trim();
+    let value = trimmed.substring(eqIndex + 1);
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key) result[key] = value;
+  }
+  return result;
 }
 async function pushSecrets(repoFullName, environment, content, accessToken) {
-  const body = { content };
+  const secrets = parseEnvContent(content);
+  const body = { repoFullName, environment, secrets };
   const headers = { "Content-Type": "application/json" };
   if (accessToken) {
     headers.Authorization = `Bearer ${accessToken}`;
   }
-  const encodedRepo = encodeURIComponent(repoFullName);
-  const response = await fetch(
-    `${API_BASE_URL}/vaults/${encodedRepo}/${environment}/push`,
-    {
-      method: "POST",
-      headers,
-      body: JSON.stringify(body)
-    }
-  );
-  return handleResponse(response);
+  const response = await fetch(`${API_BASE_URL}/v1/secrets/push`, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body)
+  });
+  const result = await handleResponse(response);
+  return result.data;
 }
 async function pullSecrets(repoFullName, environment, accessToken) {
-  const encodedRepo = encodeURIComponent(repoFullName);
   const headers = { "Content-Type": "application/json" };
   if (accessToken) {
     headers.Authorization = `Bearer ${accessToken}`;
   }
-  const response = await fetch(
-    `${API_BASE_URL}/vaults/${encodedRepo}/${environment}/pull`,
-    {
-      method: "GET",
-      headers
-    }
-  );
-  return handleResponse(response);
+  const params = new URLSearchParams({
+    repo: repoFullName,
+    environment
+  });
+  const response = await fetch(`${API_BASE_URL}/v1/secrets/pull?${params}`, {
+    method: "GET",
+    headers
+  });
+  const result = await handleResponse(response);
+  return { content: result.data.content };
 }
 async function startDeviceLogin(repository) {
-  const response = await fetch(`${API_BASE_URL}/auth/device/start`, {
+  const response = await fetch(`${API_BASE_URL}/v1/auth/device/start`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify(repository ? { repository } : {})
@@ -154,7 +171,7 @@ async function startDeviceLogin(repository) {
   return handleResponse(response);
 }
 async function pollDeviceLogin(deviceCode) {
-  const response = await fetch(`${API_BASE_URL}/auth/device/poll`, {
+  const response = await fetch(`${API_BASE_URL}/v1/auth/device/poll`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({ deviceCode })
@@ -162,7 +179,7 @@ async function pollDeviceLogin(deviceCode) {
   return handleResponse(response);
 }
 async function validateToken(token) {
-  const response = await fetch(`${API_BASE_URL}/auth/token/validate`, {
+  const response = await fetch(`${API_BASE_URL}/v1/auth/token/validate`, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
@@ -183,7 +200,7 @@ import fs from "fs";
 // package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.0.3",
+  version: "0.0.4",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -199,7 +216,10 @@ var package_default = {
     "build:watch": "pnpm exec tsup --watch",
     prepublishOnly: "pnpm run build",
     test: "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest"
+    "test:watch": "pnpm exec vitest",
+    release: "npm version patch && git push && git push --tags",
+    "release:minor": "npm version minor && git push && git push --tags",
+    "release:major": "npm version major && git push && git push --tags"
   },
   keywords: [
     "secrets",
@@ -535,7 +555,7 @@ import path2 from "path";
 import prompts2 from "prompts";
 import chalk2 from "chalk";
 function generateBadge(repo) {
-  return `[![Keyway Secrets](https://keyway.sh/badge.svg?repo=${repo})](https://keyway.sh/repo/${repo})`;
+  return `[![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=${repo})](https://www.keyway.sh/dashboard/vaults/${repo})`;
 }
 function insertBadgeIntoReadme(readmeContent, badge) {
   if (readmeContent.includes("keyway.sh/badge.svg")) {
@@ -546,6 +566,9 @@ function insertBadgeIntoReadme(readmeContent, badge) {
   if (titleIndex !== -1) {
     const before = lines.slice(0, titleIndex + 1);
     const after = lines.slice(titleIndex + 1);
+    while (after.length > 0 && after[0].trim() === "") {
+      after.shift();
+    }
     const newLines = [...before, "", badge, "", ...after];
     return newLines.join("\n");
   }
@@ -828,6 +851,16 @@ async function pushCommand(options) {
     console.log("\nUploading secrets...");
     const response = await pushSecrets(repoFullName, environment, content, accessToken);
     console.log(chalk4.green("\n\u2713 " + response.message));
+    if (response.stats) {
+      const { created, updated, deleted } = response.stats;
+      const parts = [];
+      if (created > 0) parts.push(chalk4.green(`+${created} created`));
+      if (updated > 0) parts.push(chalk4.yellow(`~${updated} updated`));
+      if (deleted > 0) parts.push(chalk4.red(`-${deleted} deleted`));
+      if (parts.length > 0) {
+        console.log(`Stats: ${parts.join(", ")}`);
+      }
+    }
     console.log(`
 Your secrets are now encrypted and stored securely.`);
     console.log(`To retrieve them, run: ${chalk4.cyan(`keyway pull --env ${environment}`)}`);
@@ -925,7 +958,7 @@ import { execSync as execSync2 } from "child_process";
 import { writeFileSync, unlinkSync, readFileSync, existsSync } from "fs";
 import { tmpdir } from "os";
 import { join } from "path";
-var API_HEALTH_URL = `${process.env.KEYWAY_API_URL || INTERNAL_API_URL}/`;
+var API_HEALTH_URL = `${process.env.KEYWAY_API_URL || INTERNAL_API_URL}/v1/health`;
 async function checkNode() {
   const nodeVersion = process.versions.node;
   const [major] = nodeVersion.split(".").map(Number);
@@ -1100,7 +1133,7 @@ async function checkSystemClock() {
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetch("https://api.keyway.sh/", {
+    const response = await fetch("https://api.keyway.sh/v1/health", {
       method: "HEAD",
       signal: controller.signal
     });
@@ -1234,7 +1267,7 @@ Summary: ${formatSummary(results)}`);
 // package.json with { type: 'json' }
 var package_default2 = {
   name: "@keywaysh/cli",
-  version: "0.0.3",
+  version: "0.0.4",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -1250,7 +1283,10 @@ var package_default2 = {
     "build:watch": "pnpm exec tsup --watch",
     prepublishOnly: "pnpm run build",
     test: "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest"
+    "test:watch": "pnpm exec vitest",
+    release: "npm version patch && git push && git push --tags",
+    "release:minor": "npm version minor && git push && git push --tags",
+    "release:major": "npm version major && git push && git push --tags"
   },
   keywords: [
     "secrets",
@@ -1293,11 +1329,6 @@ var package_default2 = {
 
 // src/cli.ts
 var program = new Command();
-var shouldShowBanner = () => {
-  if (process.env.KEYWAY_NO_BANNER === "1") return false;
-  const argv = process.argv.slice(2);
-  return !argv.includes("--no-banner") && argv.length > 0;
-};
 var showBanner = () => {
   const text = chalk7.cyan.bold("Keyway CLI");
   const subtitle = chalk7.gray("GitHub-native secrets manager for dev teams");
@@ -1306,10 +1337,8 @@ ${text}
 ${subtitle}
 `);
 };
-if (shouldShowBanner()) {
-  showBanner();
-}
-program.name("keyway").description("GitHub-native secrets manager for dev teams").version(package_default2.version).option("--no-banner", "Disable the startup banner");
+showBanner();
+program.name("keyway").description("GitHub-native secrets manager for dev teams").version(package_default2.version);
 program.command("init").description("Initialize a vault for the current repository").option("--no-login-prompt", "Fail instead of prompting to login if unauthenticated").action(async (options) => {
   await initCommand(options);
 });
@@ -1328,9 +1357,6 @@ program.command("logout").description("Clear stored Keyway credentials").action(
 program.command("doctor").description("Run environment checks to ensure Keyway runs smoothly").option("--json", "Output results as JSON for machine processing", false).option("--strict", "Treat warnings as failures", false).action(async (options) => {
   await doctorCommand(options);
 });
-program.command("readme").description("README utilities").command("add-badge").description("Insert the Keyway badge into README").action(async () => {
-  await addBadgeToReadme();
-});
 program.parseAsync().catch((error) => {
   console.error(chalk7.red("Error:"), error.message || error);
   process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keywaysh/cli",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "One link to all your secrets",
   "type": "module",
   "bin": {
@@ -10,6 +10,17 @@
   "files": [
     "dist"
   ],
+  "scripts": {
+    "dev": "pnpm exec tsx src/cli.ts",
+    "build": "pnpm exec tsup",
+    "build:watch": "pnpm exec tsup --watch",
+    "prepublishOnly": "pnpm run build",
+    "test": "pnpm exec vitest run",
+    "test:watch": "pnpm exec vitest",
+    "release": "npm version patch && git push && git push --tags",
+    "release:minor": "npm version minor && git push && git push --tags",
+    "release:major": "npm version major && git push && git push --tags"
+  },
   "keywords": [
     "secrets",
     "env",
@@ -27,6 +38,7 @@
   "bugs": {
     "url": "https://github.com/keywaysh/cli/issues"
   },
+  "packageManager": "pnpm@10.6.1",
   "engines": {
     "node": ">=18.0.0"
   },
@@ -45,12 +57,5 @@
     "tsx": "^4.20.3",
     "typescript": "^5.9.2",
     "vitest": "^3.2.4"
-  },
-  "scripts": {
-    "dev": "pnpm exec tsx src/cli.ts",
-    "build": "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    "test": "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest"
   }
-}
+}