@keywaysh/cli 0.2.0 → 0.3.2

package/README.md

@@ -1,236 +1,47 @@
-<div align="center">
-  <h1>Keyway CLI</h1>
-  <p><strong>Sync .env files across your team in 30 seconds.</strong></p>
-  <p>Stop sharing secrets on Slack. One command and everyone's in sync.</p>
-  <br/>
+# @keywaysh/cli
 
-[![npm version](https://img.shields.io/npm/v/@keywaysh/cli.svg?style=flat-square)](https://www.npmjs.com/package/@keywaysh/cli)
-[![npm downloads](https://img.shields.io/npm/dm/@keywaysh/cli.svg?style=flat-square)](https://www.npmjs.com/package/@keywaysh/cli)
-[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg?style=flat-square)](https://opensource.org/licenses/MIT)
-[![.env by Keyway](https://keyway.sh/badge.svg?repo=keywaysh/cli)](https://keyway.sh)
+GitHub-native secrets management. If you have repo access, you get secret access.
 
-  <br/>
-  <a href="https://keyway.sh">Website</a> •
-  <a href="https://docs.keyway.sh">Docs</a> •
-  <a href="https://keyway.sh/security">Security</a> •
-  <a href="https://status.keyway.sh">Status</a>
-</div>
+## Installation
 
-<br/>
-
-## Quick Start (30 seconds)
-
-**1. Setup your project:**
 ```bash
 npm install -g @keywaysh/cli
-keyway init
 ```
 
-**2. Teammates pull secrets:**
-```bash
-keyway pull
-```
+Or with npx:
 
-**3. Deploy to Vercel:**
 ```bash
-keyway sync vercel
-```
-
-<br/>
-
-<details>
-<summary><strong>See it in action</strong></summary>
-
-```
-$ keyway init
-✓ Logged in as @nicolas
-✓ Detected repo: acme/backend
-✓ Vault created
-? Push your .env to the vault? Yes
-✓ 12 secrets encrypted and stored
-
-$ keyway pull
-✓ .env synced (12 secrets)
+npx @keywaysh/cli pull
 ```
 
-</details>
-
-<br/>
-
-## Why Keyway?
-
-Your secrets are probably in:
-
-- 💬 Slack DMs
-- 📝 Notion pages
-- 📧 Old emails
-- 🤷 The laptop of the dev who left
-
-**Keyway fixes that.** If you have GitHub repo access → you have secret access. No invites, no dashboards, no YAML.
-
-<br/>
-
-## Install
+## Quick Start
 
 ```bash
-# npm
-npm install -g @keywaysh/cli
-
-# pnpm
-pnpm add -g @keywaysh/cli
-
-# yarn
-yarn global add @keywaysh/cli
-
-# bun
-bun add -g @keywaysh/cli
-```
-
-<br/>
-
-## Commands
-
-| Command | What it does |
-|---------|--------------|
-| `keyway login` | Authenticate with GitHub |
-| `keyway init` | Create a vault for this repo |
-| `keyway push` | Upload `.env` to vault |
-| `keyway pull` | Download secrets to `.env` |
-| `keyway sync vercel` | Deploy secrets to Vercel |
-| `keyway doctor` | Debug your setup |
-
-<br/>
+# Sign in with GitHub
+keyway login
 
-### Push & Pull
+# Initialize vault for current repo
+keyway init
 
-```bash
-# Push your local .env
+# Push secrets from .env
 keyway push
 
-# Push to a specific environment
-keyway push --env production
-
-# Pull secrets
-keyway pull
-
-# Pull from production
-keyway pull --env production
-```
-
-<br/>
-
-### Sync to Providers
-
-Deploy your secrets to Vercel, Netlify, or Railway with one command:
-
-```bash
-keyway sync vercel
-keyway sync netlify
-keyway sync railway
-```
-
-First time: OAuth flow. After that: instant sync.
-
-<br/>
-
-## Real-World Workflows
-
-**New dev joins the team:**
-```bash
-git clone git@github.com:acme/app.git
-cd app
+# Pull secrets to .env
 keyway pull
-npm run dev  # Ready to code
 ```
 
-**Rotate an API key:**
-```bash
-# Update .env locally, then:
-keyway push
-# Done. Everyone pulls the update.
-```
-
-**Deploy to production:**
-```bash
-keyway push --env production
-keyway sync vercel
-```
-
-<br/>
-
-## Security
-
-Keyway is a **major upgrade from Slack** without the complexity of Vault or AWS Secrets Manager.
+## Alternative Installation
 
-| Feature | Status |
-|---------|--------|
-| AES-256-GCM encryption | ✅ |
-| Encrypted at rest | ✅ |
-| TLS 1.3 everywhere | ✅ |
-| GitHub-based access control | ✅ |
-| No access to your code | ✅ |
-| SOC2 / enterprise compliance | ❌ |
-
-**We never track secret values.** Only metadata (command usage, repo names).
-
-→ [Full security details](https://keyway.sh/security)
-
-<br/>
-
-## Who is this for?
-
-**Perfect for:**
-- Solo devs
-- Small teams (2-20)
-- Side projects
-- Agencies
-- Early-stage startups
-
-**Not for:**
-- Banks, governments, enterprises needing SOC2/zero-trust
-- (Try Vault, Doppler, or AWS Secrets Manager)
-
-<br/>
-
-## Configuration
+Using the install script:
 
 ```bash
-# Use a different API
-export KEYWAY_API_URL=https://your-api.com
-
-# Disable telemetry
-export KEYWAY_DISABLE_TELEMETRY=1
+curl -fsSL https://keyway.sh/install.sh | sh
 ```
 
-<br/>
+## Documentation
 
-## Troubleshooting
-
-| Error | Fix |
-|-------|-----|
-| "Not in a git repository" | Run `git init && git remote add origin ...` |
-| "Vault not found" | Run `keyway init` |
-| "No access to repository" | Check you're a GitHub collaborator |
-
-Run `keyway doctor` for full diagnostics.
-
-<br/>
-
-## Links
-
-- **Website:** [keyway.sh](https://keyway.sh)
-- **Docs:** [docs.keyway.sh](https://docs.keyway.sh)
-- **Issues:** [GitHub Issues](https://github.com/keywaysh/cli/issues)
-- **Email:** hello@keyway.sh
-
-<br/>
+Visit [docs.keyway.sh](https://docs.keyway.sh) for full documentation.
 
 ## License
 
-MIT © [Nicolas Ritouet](https://github.com/nicolasritouet)
-
----
-
-<div align="center">
-  <sub>Built with ☕ by <a href="https://keyway.sh">Keyway</a></sub>
-</div>
+MIT

package/bin/keyway

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+
+const { spawnSync } = require("child_process");
+const path = require("path");
+const fs = require("fs");
+
+const binaryName = process.platform === "win32" ? "keyway-bin.exe" : "keyway-bin";
+const binaryPath = path.join(__dirname, binaryName);
+
+if (!fs.existsSync(binaryPath)) {
+  console.error("keyway binary not found. Try reinstalling: npm install @keywaysh/cli");
+  process.exit(1);
+}
+
+const result = spawnSync(binaryPath, process.argv.slice(2), {
+  stdio: "inherit",
+  env: process.env,
+});
+
+if (result.error) {
+  console.error("Failed to run keyway:", result.error.message);
+  process.exit(1);
+}
+
+process.exit(result.status || 0);

package/package.json

@@ -1,69 +1,33 @@
 {
   "name": "@keywaysh/cli",
-  "version": "0.2.0",
-  "description": "Env vars that sync like code.",
-  "type": "module",
+  "version": "0.3.2",
+  "description": "GitHub-native secrets management CLI",
   "bin": {
-    "keyway": "./dist/cli.js"
+    "keyway": "./bin/keyway"
   },
-  "main": "./dist/cli.js",
-  "files": [
-    "dist"
-  ],
   "scripts": {
-    "dev": "pnpm exec tsx src/cli.ts",
-    "dev:local": "NODE_TLS_REJECT_UNAUTHORIZED=0 KEYWAY_API_URL=https://localhost/api pnpm exec tsx src/cli.ts",
-    "build": "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    "prepublishOnly": "pnpm run build",
-    "test": "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest",
-    "test:coverage": "pnpm exec vitest run --coverage",
-    "release": "npm version patch && git push && git push --tags",
-    "release:minor": "npm version minor && git push && git push --tags",
-    "release:major": "npm version major && git push && git push --tags"
+    "postinstall": "node scripts/install.js"
   },
-  "keywords": [
-    "secrets",
-    "env",
-    "keyway",
-    "cli",
-    "devops"
-  ],
-  "author": "Nicolas Ritouet",
-  "license": "MIT",
-  "homepage": "https://keyway.sh",
   "repository": {
     "type": "git",
-    "url": "https://github.com/keywaysh/cli.git"
+    "url": "git+https://github.com/keywaysh/cli-go.git"
   },
+  "homepage": "https://keyway.sh",
   "bugs": {
-    "url": "https://github.com/keywaysh/cli/issues"
+    "url": "https://github.com/keywaysh/cli-go/issues"
   },
-  "packageManager": "pnpm@10.6.1",
+  "keywords": [
+    "secrets",
+    "cli",
+    "github",
+    "env",
+    "environment-variables",
+    "dotenv",
+    "secrets-management"
+  ],
+  "author": "Keyway <hello@keyway.sh>",
+  "license": "MIT",
   "engines": {
-    "node": ">=18.0.0"
-  },
-  "dependencies": {
-    "@octokit/rest": "^22.0.1",
-    "balanced-match": "^3.0.1",
-    "commander": "^14.0.0",
-    "conf": "^15.0.2",
-    "libsodium-wrappers": "^0.7.15",
-    "open": "^11.0.0",
-    "picocolors": "^1.1.1",
-    "posthog-node": "^3.5.0",
-    "@clack/prompts": "^0.9.1"
-  },
-  "devDependencies": {
-    "@types/balanced-match": "^3.0.2",
-    "@types/libsodium-wrappers": "^0.7.14",
-    "@types/node": "^24.2.0",
-    "@vitest/coverage-v8": "^3.0.0",
-    "msw": "^2.12.4",
-    "tsup": "^8.5.0",
-    "tsx": "^4.20.3",
-    "typescript": "^5.9.2",
-    "vitest": "^3.2.4"
+    "node": ">=14"
   }
 }

package/scripts/install.js

@@ -0,0 +1,216 @@
+#!/usr/bin/env node
+
+const https = require("https");
+const fs = require("fs");
+const path = require("path");
+const { execSync, spawnSync } = require("child_process");
+const os = require("os");
+const crypto = require("crypto");
+
+const VERSION = require("../package.json").version;
+const REPO = "keywaysh/cli-go";
+const BINARY_NAME = "keyway";
+
+const PLATFORMS = {
+  "darwin-arm64": "darwin_arm64",
+  "darwin-x64": "darwin_amd64",
+  "linux-arm64": "linux_arm64",
+  "linux-x64": "linux_amd64",
+  "win32-x64": "windows_amd64",
+  "win32-arm64": "windows_arm64",
+};
+
+function getPlatformKey() {
+  return `${process.platform}-${process.arch}`;
+}
+
+function getBinaryPath() {
+  const binDir = path.join(__dirname, "..", "bin");
+  // Use keyway-bin to avoid conflict with the wrapper script
+  const binaryName = process.platform === "win32" ? `${BINARY_NAME}-bin.exe` : `${BINARY_NAME}-bin`;
+  return path.join(binDir, binaryName);
+}
+
+function fetch(url) {
+  return new Promise((resolve, reject) => {
+    const request = https.get(url, (response) => {
+      if (response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        // Follow redirect
+        fetch(response.headers.location).then(resolve).catch(reject);
+        return;
+      }
+
+      if (response.statusCode !== 200) {
+        reject(new Error(`Failed to download: ${response.statusCode}`));
+        return;
+      }
+
+      const chunks = [];
+      response.on("data", (chunk) => chunks.push(chunk));
+      response.on("end", () => resolve(Buffer.concat(chunks)));
+      response.on("error", reject);
+    });
+
+    request.on("error", reject);
+    request.setTimeout(60000, () => {
+      request.destroy();
+      reject(new Error("Request timeout"));
+    });
+  });
+}
+
+async function downloadChecksum() {
+  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/checksums.txt`;
+  try {
+    const data = await fetch(url);
+    return data.toString();
+  } catch (error) {
+    console.warn("Warning: Could not download checksums file");
+    return null;
+  }
+}
+
+function verifyChecksum(buffer, checksums, filename) {
+  if (!checksums) return true;
+
+  const hash = crypto.createHash("sha256").update(buffer).digest("hex");
+  const expectedLine = checksums.split("\n").find((line) => line.includes(filename));
+
+  if (!expectedLine) {
+    console.warn(`Warning: No checksum found for ${filename}`);
+    return true;
+  }
+
+  const expectedHash = expectedLine.split(/\s+/)[0];
+  if (hash !== expectedHash) {
+    throw new Error(`Checksum mismatch for ${filename}\nExpected: ${expectedHash}\nGot: ${hash}`);
+  }
+
+  return true;
+}
+
+async function extractTarGz(buffer, destDir) {
+  const tmpFile = path.join(os.tmpdir(), `keyway-${Date.now()}.tar.gz`);
+  fs.writeFileSync(tmpFile, buffer);
+
+  try {
+    execSync(`tar -xzf "${tmpFile}" -C "${destDir}"`, { stdio: "pipe" });
+  } finally {
+    fs.unlinkSync(tmpFile);
+  }
+}
+
+async function extractZip(buffer, destDir) {
+  const tmpFile = path.join(os.tmpdir(), `keyway-${Date.now()}.zip`);
+  fs.writeFileSync(tmpFile, buffer);
+
+  try {
+    // Try powershell on Windows
+    if (process.platform === "win32") {
+      execSync(
+        `powershell -Command "Expand-Archive -Path '${tmpFile}' -DestinationPath '${destDir}' -Force"`,
+        { stdio: "pipe" }
+      );
+    } else {
+      execSync(`unzip -o "${tmpFile}" -d "${destDir}"`, { stdio: "pipe" });
+    }
+  } finally {
+    fs.unlinkSync(tmpFile);
+  }
+}
+
+async function install() {
+  const platformKey = getPlatformKey();
+  const target = PLATFORMS[platformKey];
+
+  if (!target) {
+    console.error(`\nUnsupported platform: ${platformKey}`);
+    console.error(`Supported platforms: ${Object.keys(PLATFORMS).join(", ")}`);
+    console.error(`\nYou can install manually from: https://github.com/${REPO}/releases`);
+    process.exit(1);
+  }
+
+  const binDir = path.join(__dirname, "..", "bin");
+  const binaryPath = getBinaryPath();
+
+  // Check if binary already exists and is correct version
+  if (fs.existsSync(binaryPath)) {
+    try {
+      const result = spawnSync(binaryPath, ["--version"], { encoding: "utf8" });
+      if (result.stdout && result.stdout.includes(VERSION)) {
+        console.log(`keyway v${VERSION} already installed`);
+        return;
+      }
+    } catch (e) {
+      // Binary exists but couldn't run, reinstall
+    }
+  }
+
+  const isWindows = process.platform === "win32";
+  const ext = isWindows ? "zip" : "tar.gz";
+  const filename = `${BINARY_NAME}_${VERSION}_${target}.${ext}`;
+  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${filename}`;
+
+  console.log(`Downloading keyway v${VERSION} for ${target}...`);
+
+  try {
+    // Download checksums and binary in parallel
+    const [checksums, archiveBuffer] = await Promise.all([downloadChecksum(), fetch(url)]);
+
+    // Verify checksum
+    verifyChecksum(archiveBuffer, checksums, filename);
+
+    // Create bin directory
+    if (!fs.existsSync(binDir)) {
+      fs.mkdirSync(binDir, { recursive: true });
+    }
+
+    // Extract to temp dir first, then move binary
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "keyway-"));
+
+    try {
+      if (isWindows) {
+        await extractZip(archiveBuffer, tmpDir);
+      } else {
+        await extractTarGz(archiveBuffer, tmpDir);
+      }
+
+      // Find and move the binary (archive contains 'keyway', we save as 'keyway-bin')
+      const archiveBinaryName = isWindows ? `${BINARY_NAME}.exe` : BINARY_NAME;
+      const extractedBinary = path.join(tmpDir, archiveBinaryName);
+
+      if (!fs.existsSync(extractedBinary)) {
+        throw new Error(`Binary not found in archive: ${archiveBinaryName}`);
+      }
+
+      // Remove old binary if exists
+      if (fs.existsSync(binaryPath)) {
+        fs.unlinkSync(binaryPath);
+      }
+
+      fs.copyFileSync(extractedBinary, binaryPath);
+
+      // Make executable on Unix
+      if (!isWindows) {
+        fs.chmodSync(binaryPath, 0o755);
+      }
+
+      console.log(`Successfully installed keyway v${VERSION}`);
+    } finally {
+      // Cleanup temp directory
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  } catch (error) {
+    console.error(`\nFailed to install keyway: ${error.message}`);
+    console.error(`\nYou can install manually from: https://github.com/${REPO}/releases`);
+    console.error(`Or use: curl -fsSL https://keyway.sh/install.sh | sh`);
+    process.exit(1);
+  }
+}
+
+// Only run if called directly (not required as module)
+if (require.main === module) {
+  install();
+}
+
+module.exports = { install, getBinaryPath };