@keywaysh/cli 0.1.16 → 0.3.1

package/README.md

@@ -1,322 +1,47 @@
-<div align="center">
-  <h1>Keyway CLI</h1>
-  <strong>The simplest way to sync your project's environment variables.</strong><br/>
-  Stop sending <code>.env</code> files on Slack. One command and you're in sync.
-  <br/><br/>
-  <a href="https://keyway.sh">keyway.sh</a> ·
-  <a href="https://github.com/keywaysh/cli">GitHub</a> ·
-  <a href="https://www.npmjs.com/package/@keywaysh/cli">NPM</a> ·
-  <a href="https://status.keyway.sh">Status</a>
-  <br/><br/>
+# @keywaysh/cli
 
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![npm version](https://img.shields.io/npm/v/@keywaysh/cli.svg)](https://www.npmjs.com/package/@keywaysh/cli)
+GitHub-native secrets management. If you have repo access, you get secret access.
 
-</div>
-
-## Why Keyway?
-
-Most devs store secrets in... chaotic places:
-
-- Slack
-- Notion
-- Discord
-- Google Docs
-- Lost `.env` files
-- Messages you can't find anymore
-- Machine of the dev who left the project
-
-**Keyway fixes that.**
-
-If you have GitHub access to a repo → you have access to its secrets.
-No invites. No dashboards. No complex config.
-Just one command that works.
-
-## Install
+## Installation
 
 ```bash
 npm install -g @keywaysh/cli
 ```
 
-## Quick Start
-
-Inside any project connected to GitHub:
+Or with npx:
 
 ```bash
-keyway login
-keyway init
+npx @keywaysh/cli pull
 ```
 
-What happens:
-
-1. Keyway authenticates via GitHub OAuth
-2. Detects your GitHub repo
-3. Creates a vault for this repo
-4. Asks if you want to sync your `.env`
-
-Then any teammate can simply run:
-
-```bash
-keyway pull
-```
-
-And boom: your `.env` is recreated locally.
-
-## Commands
-
-### `keyway login`
-
-Authenticate with GitHub through the Keyway OAuth/device flow.
+## Quick Start
 
 ```bash
+# Sign in with GitHub
 keyway login
-```
 
-If you prefer using a fine-grained PAT:
-
-```bash
-keyway login --token
-```
-
-### `keyway init`
-
-Initialize a vault for the current repository.
-
-```bash
+# Initialize vault for current repo
 keyway init
-```
-
-Creates a vault, pushes your `.env`, and sets everything up.
 
-### `keyway push`
-
-Push your local `.env` to the vault.
-
-```bash
-# Push to development (default)
+# Push secrets from .env
 keyway push
 
-# Push to a specific environment
-keyway push --env production
-
-# Push a different file
-keyway push --file .env.staging --env staging
-```
-
-Useful when:
-- you added a new variable
-- you rotated a key
-- you fixed a staging/production mismatch
-
-### `keyway pull`
-
-Pull secrets from the vault and write them to `.env`.
-
-```bash
-# Pull development environment (default)
-keyway pull
-
-# Pull from a specific environment
-keyway pull --env production
-
-# Pull to a different file
-keyway pull --file .env.local
-```
-
-Perfect for:
-- onboarding a new dev
-- syncing your local environment
-- switching between machines
-
-### `keyway doctor`
-
-Diagnostic command to check your setup.
-
-```bash
-keyway doctor
-
-# Output as JSON (for CI/CD)
-keyway doctor --json
-
-# Strict mode (treat warnings as failures)
-keyway doctor --strict
-```
-
-**Checks performed:**
-- Node.js version (≥18.0.0 required)
-- Git installation and repository status
-- API connectivity
-- File system write permissions
-- `.gitignore` configuration
-- System clock synchronization
-
-### `keyway logout`
-
-Clear stored Keyway credentials.
-
-```bash
-keyway logout
-```
-
-### `keyway sync`
-
-**One command to deploy your secrets everywhere.**
-
-Sync your vault to Vercel, Netlify, and more. No more copy-pasting environment variables between dashboards.
-
-```bash
-keyway sync vercel
-keyway sync netlify
-keyway sync railway
-```
-
-The CLI handles everything:
-1. OAuth connection (first time only)
-2. Project auto-detection
-3. Smart diff (only updates what changed)
-
-Your local `.env`, Vercel, Netlify, Railway — all in sync with one command.
-
-## Security
-
-Keyway is designed to be **simple and secure** — a major upgrade from Slack or Notion, without the complexity of Hashicorp Vault or AWS Secrets Manager.
-
-**What we do:**
-- AES-256-GCM encryption server-side and client-side token storage
-- TLS everywhere (HTTPS enforced)
-- GitHub read-only permissions
-- No access to your code
-- Secrets stored encrypted at rest
-- No analytics on secret values (only metadata)
-- Encrypted token storage with file permissions
-
-**What we don't do:**
-- No zero-trust enterprise model
-- No access to your cloud infrastructure
-- No access to your production deployment keys
-
-For detailed security information, see [SECURITY.md](./SECURITY.md) and [keyway.sh/security](https://keyway.sh/security)
-
-## Who is this for?
-
-Keyway is perfect for:
-- Solo developers
-- Small teams
-- Side-projects
-- Early SaaS
-- Agencies managing many repos
-- Rapid prototyping
-
-**Not designed for:**
-- Banks
-- Governments
-- Enterprise zero-trust teams
-  *(you're looking for Vault, Doppler, or AWS Secrets Manager)*
-
-## Example Workflow
-
-```bash
-git clone git@github.com:acme/backend.git
-cd backend
+# Pull secrets to .env
 keyway pull
-# ✓ secrets pulled
-npm run dev
-```
-
-Add a new secret:
-
-```bash
-echo "STRIPE_KEY=sk_live_xxx" >> .env
-keyway push
-# ✓ 1 secret updated
 ```
 
-## Configuration
+## Alternative Installation
 
-### GitHub Token (alternative to login)
-
-If you cannot use the login flow, set a GitHub token manually:
+Using the install script:
 
 ```bash
-# Environment variable
-export GITHUB_TOKEN=your_github_personal_access_token
-
-# Or via git config
-git config --global github.token your_github_personal_access_token
+curl -fsSL https://keyway.sh/install.sh | sh
 ```
 
-### API URL
-
-By default, Keyway uses the production API. To point to another API:
-
-```bash
-export KEYWAY_API_URL=http://localhost:3000
-```
-
-### Disable Telemetry
-
-```bash
-export KEYWAY_DISABLE_TELEMETRY=1
-```
-
-## Privacy & Analytics
-
-**NEVER tracked:**
-- Secret names or values
-- Environment variable content
-- Access tokens
-- File contents
-
-**Only tracked:**
-- Command usage (init, push, pull)
-- Repository names (public info)
-- Error messages (sanitized)
-
-## Troubleshooting
-
-### "Not in a git repository"
-
-```bash
-git init
-git remote add origin git@github.com:your-org/your-repo.git
-```
-
-### "GitHub token not found"
-
-```bash
-keyway login
-# or
-export GITHUB_TOKEN=your_token
-```
-
-### "Vault not found"
-
-```bash
-keyway init
-```
-
-### "You do not have access to this repository"
-
-Make sure you're a collaborator or admin on the GitHub repository.
-
-## TL;DR
-
-```bash
-npm i -g @keywaysh/cli
-keyway login
-keyway init
-keyway pull
-```
-
-No more Slack. No more outdated `.env`.
-Your team stays perfectly in sync.
-
-## Support
+## Documentation
 
-- **Issues**: [github.com/keywaysh/cli/issues](https://github.com/keywaysh/cli/issues)
-- **Email**: hello@keyway.sh
-- **Website**: [keyway.sh](https://keyway.sh)
+Visit [docs.keyway.sh](https://docs.keyway.sh) for full documentation.
 
 ## License
 
-MIT © Nicolas Ritouet
+MIT

package/bin/keyway

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+
+const { spawnSync } = require("child_process");
+const path = require("path");
+const fs = require("fs");
+
+const binaryName = process.platform === "win32" ? "keyway-bin.exe" : "keyway-bin";
+const binaryPath = path.join(__dirname, binaryName);
+
+if (!fs.existsSync(binaryPath)) {
+  console.error("keyway binary not found. Try reinstalling: npm install @keywaysh/cli");
+  process.exit(1);
+}
+
+const result = spawnSync(binaryPath, process.argv.slice(2), {
+  stdio: "inherit",
+  env: process.env,
+});
+
+if (result.error) {
+  console.error("Failed to run keyway:", result.error.message);
+  process.exit(1);
+}
+
+process.exit(result.status || 0);

package/package.json

@@ -1,70 +1,33 @@
 {
   "name": "@keywaysh/cli",
-  "version": "0.1.16",
-  "description": "One link to all your secrets",
-  "type": "module",
+  "version": "0.3.1",
+  "description": "GitHub-native secrets management CLI",
   "bin": {
-    "keyway": "./dist/cli.js"
+    "keyway": "./bin/keyway"
   },
-  "main": "./dist/cli.js",
-  "files": [
-    "dist"
-  ],
   "scripts": {
-    "dev": "pnpm exec tsx src/cli.ts",
-    "dev:local": "NODE_TLS_REJECT_UNAUTHORIZED=0 KEYWAY_API_URL=https://localhost/api pnpm exec tsx src/cli.ts",
-    "build": "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    "prepublishOnly": "pnpm run build",
-    "test": "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest",
-    "test:coverage": "pnpm exec vitest run --coverage",
-    "release": "npm version patch && git push && git push --tags",
-    "release:minor": "npm version minor && git push && git push --tags",
-    "release:major": "npm version major && git push && git push --tags"
+    "postinstall": "node scripts/install.js"
   },
-  "keywords": [
-    "secrets",
-    "env",
-    "keyway",
-    "cli",
-    "devops"
-  ],
-  "author": "Nicolas Ritouet",
-  "license": "MIT",
-  "homepage": "https://keyway.sh",
   "repository": {
     "type": "git",
-    "url": "https://github.com/keywaysh/cli.git"
+    "url": "git+https://github.com/keywaysh/cli-go.git"
   },
+  "homepage": "https://keyway.sh",
   "bugs": {
-    "url": "https://github.com/keywaysh/cli/issues"
+    "url": "https://github.com/keywaysh/cli-go/issues"
   },
-  "packageManager": "pnpm@10.6.1",
+  "keywords": [
+    "secrets",
+    "cli",
+    "github",
+    "env",
+    "environment-variables",
+    "dotenv",
+    "secrets-management"
+  ],
+  "author": "Keyway <hello@keyway.sh>",
+  "license": "MIT",
   "engines": {
-    "node": ">=18.0.0"
-  },
-  "dependencies": {
-    "@octokit/rest": "^22.0.1",
-    "balanced-match": "^3.0.1",
-    "commander": "^14.0.0",
-    "conf": "^15.0.2",
-    "libsodium-wrappers": "^0.7.15",
-    "open": "^11.0.0",
-    "picocolors": "^1.1.1",
-    "posthog-node": "^3.5.0",
-    "prompts": "^2.4.2"
-  },
-  "devDependencies": {
-    "@types/balanced-match": "^3.0.2",
-    "@types/libsodium-wrappers": "^0.7.14",
-    "@types/node": "^24.2.0",
-    "@types/prompts": "^2.4.9",
-    "@vitest/coverage-v8": "^3.0.0",
-    "msw": "^2.12.4",
-    "tsup": "^8.5.0",
-    "tsx": "^4.20.3",
-    "typescript": "^5.9.2",
-    "vitest": "^3.2.4"
+    "node": ">=14"
   }
 }

package/scripts/install.js

@@ -0,0 +1,216 @@
+#!/usr/bin/env node
+
+const https = require("https");
+const fs = require("fs");
+const path = require("path");
+const { execSync, spawnSync } = require("child_process");
+const os = require("os");
+const crypto = require("crypto");
+
+const VERSION = require("../package.json").version;
+const REPO = "keywaysh/cli-go";
+const BINARY_NAME = "keyway";
+
+const PLATFORMS = {
+  "darwin-arm64": "darwin_arm64",
+  "darwin-x64": "darwin_amd64",
+  "linux-arm64": "linux_arm64",
+  "linux-x64": "linux_amd64",
+  "win32-x64": "windows_amd64",
+  "win32-arm64": "windows_arm64",
+};
+
+function getPlatformKey() {
+  return `${process.platform}-${process.arch}`;
+}
+
+function getBinaryPath() {
+  const binDir = path.join(__dirname, "..", "bin");
+  // Use keyway-bin to avoid conflict with the wrapper script
+  const binaryName = process.platform === "win32" ? `${BINARY_NAME}-bin.exe` : `${BINARY_NAME}-bin`;
+  return path.join(binDir, binaryName);
+}
+
+function fetch(url) {
+  return new Promise((resolve, reject) => {
+    const request = https.get(url, (response) => {
+      if (response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        // Follow redirect
+        fetch(response.headers.location).then(resolve).catch(reject);
+        return;
+      }
+
+      if (response.statusCode !== 200) {
+        reject(new Error(`Failed to download: ${response.statusCode}`));
+        return;
+      }
+
+      const chunks = [];
+      response.on("data", (chunk) => chunks.push(chunk));
+      response.on("end", () => resolve(Buffer.concat(chunks)));
+      response.on("error", reject);
+    });
+
+    request.on("error", reject);
+    request.setTimeout(60000, () => {
+      request.destroy();
+      reject(new Error("Request timeout"));
+    });
+  });
+}
+
+async function downloadChecksum() {
+  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/checksums.txt`;
+  try {
+    const data = await fetch(url);
+    return data.toString();
+  } catch (error) {
+    console.warn("Warning: Could not download checksums file");
+    return null;
+  }
+}
+
+function verifyChecksum(buffer, checksums, filename) {
+  if (!checksums) return true;
+
+  const hash = crypto.createHash("sha256").update(buffer).digest("hex");
+  const expectedLine = checksums.split("\n").find((line) => line.includes(filename));
+
+  if (!expectedLine) {
+    console.warn(`Warning: No checksum found for ${filename}`);
+    return true;
+  }
+
+  const expectedHash = expectedLine.split(/\s+/)[0];
+  if (hash !== expectedHash) {
+    throw new Error(`Checksum mismatch for ${filename}\nExpected: ${expectedHash}\nGot: ${hash}`);
+  }
+
+  return true;
+}
+
+async function extractTarGz(buffer, destDir) {
+  const tmpFile = path.join(os.tmpdir(), `keyway-${Date.now()}.tar.gz`);
+  fs.writeFileSync(tmpFile, buffer);
+
+  try {
+    execSync(`tar -xzf "${tmpFile}" -C "${destDir}"`, { stdio: "pipe" });
+  } finally {
+    fs.unlinkSync(tmpFile);
+  }
+}
+
+async function extractZip(buffer, destDir) {
+  const tmpFile = path.join(os.tmpdir(), `keyway-${Date.now()}.zip`);
+  fs.writeFileSync(tmpFile, buffer);
+
+  try {
+    // Try powershell on Windows
+    if (process.platform === "win32") {
+      execSync(
+        `powershell -Command "Expand-Archive -Path '${tmpFile}' -DestinationPath '${destDir}' -Force"`,
+        { stdio: "pipe" }
+      );
+    } else {
+      execSync(`unzip -o "${tmpFile}" -d "${destDir}"`, { stdio: "pipe" });
+    }
+  } finally {
+    fs.unlinkSync(tmpFile);
+  }
+}
+
+async function install() {
+  const platformKey = getPlatformKey();
+  const target = PLATFORMS[platformKey];
+
+  if (!target) {
+    console.error(`\nUnsupported platform: ${platformKey}`);
+    console.error(`Supported platforms: ${Object.keys(PLATFORMS).join(", ")}`);
+    console.error(`\nYou can install manually from: https://github.com/${REPO}/releases`);
+    process.exit(1);
+  }
+
+  const binDir = path.join(__dirname, "..", "bin");
+  const binaryPath = getBinaryPath();
+
+  // Check if binary already exists and is correct version
+  if (fs.existsSync(binaryPath)) {
+    try {
+      const result = spawnSync(binaryPath, ["--version"], { encoding: "utf8" });
+      if (result.stdout && result.stdout.includes(VERSION)) {
+        console.log(`keyway v${VERSION} already installed`);
+        return;
+      }
+    } catch (e) {
+      // Binary exists but couldn't run, reinstall
+    }
+  }
+
+  const isWindows = process.platform === "win32";
+  const ext = isWindows ? "zip" : "tar.gz";
+  const filename = `${BINARY_NAME}_${VERSION}_${target}.${ext}`;
+  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${filename}`;
+
+  console.log(`Downloading keyway v${VERSION} for ${target}...`);
+
+  try {
+    // Download checksums and binary in parallel
+    const [checksums, archiveBuffer] = await Promise.all([downloadChecksum(), fetch(url)]);
+
+    // Verify checksum
+    verifyChecksum(archiveBuffer, checksums, filename);
+
+    // Create bin directory
+    if (!fs.existsSync(binDir)) {
+      fs.mkdirSync(binDir, { recursive: true });
+    }
+
+    // Extract to temp dir first, then move binary
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "keyway-"));
+
+    try {
+      if (isWindows) {
+        await extractZip(archiveBuffer, tmpDir);
+      } else {
+        await extractTarGz(archiveBuffer, tmpDir);
+      }
+
+      // Find and move the binary (archive contains 'keyway', we save as 'keyway-bin')
+      const archiveBinaryName = isWindows ? `${BINARY_NAME}.exe` : BINARY_NAME;
+      const extractedBinary = path.join(tmpDir, archiveBinaryName);
+
+      if (!fs.existsSync(extractedBinary)) {
+        throw new Error(`Binary not found in archive: ${archiveBinaryName}`);
+      }
+
+      // Remove old binary if exists
+      if (fs.existsSync(binaryPath)) {
+        fs.unlinkSync(binaryPath);
+      }
+
+      fs.copyFileSync(extractedBinary, binaryPath);
+
+      // Make executable on Unix
+      if (!isWindows) {
+        fs.chmodSync(binaryPath, 0o755);
+      }
+
+      console.log(`Successfully installed keyway v${VERSION}`);
+    } finally {
+      // Cleanup temp directory
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  } catch (error) {
+    console.error(`\nFailed to install keyway: ${error.message}`);
+    console.error(`\nYou can install manually from: https://github.com/${REPO}/releases`);
+    console.error(`Or use: curl -fsSL https://keyway.sh/install.sh | sh`);
+    process.exit(1);
+  }
+}
+
+// Only run if called directly (not required as module)
+if (require.main === module) {
+  install();
+}
+
+module.exports = { install, getBinaryPath };