@rafay99/cvx 0.30.0 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +54 -4
  2. package/cvx.1 +31 -4
  3. package/package.json +6 -6
package/README.md CHANGED
@@ -117,6 +117,14 @@ cd ~/Code/project-b && cvx link work
117
117
  cd ~/Code/project-c && cvx link personal # one account → many projects
118
118
  ```
119
119
 
120
+ ## Safety net: the wrong-account guard
121
+
122
+ The Convex CLI stamps a `# team: …` note on the `CONVEX_DEPLOYMENT` line of
123
+ `.env.local`. On every activation (including the automatic cd-hook), cvx
124
+ cross-checks that team against the linked account's teams and warns loudly on
125
+ a mismatch — catching "about to deploy with the wrong account" *before* it
126
+ happens. `cvx status` shows the same warning.
127
+
120
128
  ## Daily use
121
129
 
122
130
  ```bash
@@ -134,21 +142,24 @@ bun run dev # runs as work — both live simultaneously
134
142
  | --- | --- |
135
143
  | `cvx add [name]` | Store the current `~/.convex` login as an account |
136
144
  | `cvx login <name>` | `npx convex login`, then store it as `<name>` |
137
- | `cvx refresh <account>` | Re-authenticate an account (refresh its token) |
145
+ | `cvx refresh <account>` / `--all` | Re-authenticate one account or every account in one sitting |
138
146
  | `cvx link <account> [path]` | Link a project dir (default cwd) to an account |
139
147
  | `cvx unlink [path]` | Remove a link |
140
148
  | `cvx rename <old> <new>` | Rename an account, keeping its links |
141
149
  | `cvx rm <account>` | Forget an account and its links |
142
- | `cvx use` | Activate this dir's account or pick one interactively if unlinked |
150
+ | `cvx use [account]` | Activate by name from anywhere — or this dir's account / an interactive pick |
143
151
  | `cvx run <account> -- <cmd>` | Run one command as `<account>` without changing the global login |
144
152
  | `cvx open` | Open the Convex dashboard for this project's deployment |
145
153
  | `cvx activate [-q]` | Activate this dir's account (the hook calls this) |
146
154
  | `cvx status [--json]` | Show the active account and this dir's link |
147
- | `cvx accounts` | List stored accounts |
155
+ | `cvx accounts` | List stored accounts (with when each token was last verified) |
148
156
  | `cvx ls` | List linked projects |
149
157
  | `cvx which [path]` | Print the account name for a dir (scripting) |
150
158
  | `cvx prompt` | Print the active account name (for a shell prompt segment) |
151
159
  | `cvx keychain <status\|enable\|disable>` | Store tokens in the OS keychain instead of a file |
160
+ | `cvx vault <status\|encrypt\|decrypt\|unlock\|lock>` | Passphrase-encrypt stored tokens (unlock once per session) |
161
+ | `cvx export [file]` / `cvx import <file>` | Encrypted vault backup / restore — new-machine setup in one command |
162
+ | `cvx upgrade` | Check for a newer release and print the exact upgrade command |
152
163
  | `cvx doctor` | Check setup + per-account token health |
153
164
  | `cvx completions <shell>` | Print a completion script (zsh/bash/fish/powershell) |
154
165
  | `cvx hook [--install] [--shell …]` | Install the cd-hook (zsh/bash/fish/nu/powershell) |
@@ -199,11 +210,17 @@ a single binary, so the split costs nothing at build time.
199
210
 
200
211
  ```
201
212
  bin/cvx.ts entry point + command dispatch
202
- src/store.ts data layer: vault I/O, the config swap, token verify, paths
213
+ src/paths.ts the ONE place HOME is resolved (CVX_HOME sandbox support)
214
+ src/store.ts data layer: vault I/O, the config swap, token verify
203
215
  src/ui.ts the logo banner, first-run welcome, help
204
216
  src/colors.ts the palette (edit here to re-theme)
205
217
  src/commands.ts one function per subcommand
206
218
  src/hooks.ts zsh / bash / PowerShell shell-hook snippets
219
+ src/keychain.ts OS keychain / DPAPI token backends
220
+ src/crypto.ts scrypt + AES-256-GCM (vault encryption, export files)
221
+ src/vault.ts passphrase-encrypted vault + session unlock
222
+ src/transfer.ts cvx export / import (encrypted backups)
223
+ src/upgrade.ts cvx upgrade (release check)
207
224
  src/system.ts external-tool checks (node/npx)
208
225
  src/args.ts flag parsing
209
226
  man/cvx.1 man page (installed by Homebrew/npm → `man cvx`)
@@ -212,6 +229,39 @@ man/cvx.1 man page (installed by Homebrew/npm → `man cvx`)
212
229
  First run of a bare `cvx` shows a welcome screen; `cvx welcome` shows it again,
213
230
  and `man cvx` opens the manual.
214
231
 
232
+ ## Testing
233
+
234
+ ```sh
235
+ bun test # full suite: parser + store units, and an e2e matrix that
236
+ # drives every command against a throwaway CVX_HOME
237
+ ```
238
+
239
+ The suite runs in ~2s, needs no setup, and never touches your real vault —
240
+ CI (`.github/workflows/test.yml`) runs it on every PR. Three flows can't run
241
+ headless and stay manual (use the sandbox below): real `cvx login` (browser),
242
+ the interactive migration prompt (needs a PTY), and `cvx keychain enable`
243
+ (the OS keychain is per-user).
244
+
245
+ ## Testing safely (sandbox)
246
+
247
+ Never test a build against your real vault. Everything cvx touches — the vault,
248
+ the global `~/.convex/config.json` it swaps, the rc files `hook --install`
249
+ edits — resolves from one base directory, and setting `CVX_HOME` relocates all
250
+ of it:
251
+
252
+ ```sh
253
+ scripts/sandbox.sh # build + drop into a shell with an EMPTY sandbox vault
254
+ scripts/sandbox.sh --copy-vault # same, but seeded with a COPY of your real vault
255
+ ```
256
+
257
+ Inside that shell `cvx` is the fresh build and every command — `link`,
258
+ `activate`, `rm`, even the migration prompt and `hook --install` — reads and
259
+ writes only the sandbox. `exit` to leave; your real setup is never touched.
260
+ Works without the script too: `CVX_HOME=/tmp/try cvx status`.
261
+
262
+ One exception can't be sandboxed: the OS keychain is per-user, so skip
263
+ `cvx keychain enable` in a sandbox (the default file backend is used anyway).
264
+
215
265
  ## Releasing
216
266
 
217
267
  Pushing to `main` (touching `bin/**` or `package.json`) triggers
package/cvx.1 CHANGED
@@ -52,10 +52,12 @@ PowerShell \fB$PROFILE\fR). The shell is auto-detected when \fB--shell\fR is omi
52
52
  Print a shell completion script (completes commands and account names).
53
53
  .SS Everyday
54
54
  .TP
55
- .B cvx use \fR[\fIpath\fR]
56
- Activate the account linked to a directory. If the directory isn't linked and
57
- the terminal is interactive, pick an account from a list (uses \fBfzf\fR if
58
- installed) and optionally link the directory.
55
+ .B cvx use \fR[\fIaccount\fR|\fIpath\fR]
56
+ With an account name: activate that account globally, from anywhere. With a
57
+ path (or nothing): activate the directory's linked account; if unlinked and
58
+ the terminal is interactive, pick from a list (uses \fBfzf\fR if installed)
59
+ and optionally link the directory. A name wins over a same-named directory
60
+ \(em use \fI./dir\fR to force the path meaning.
59
61
  .TP
60
62
  .B cvx run \fIaccount\fR \fR[\fB--\fR] \fIcommand\fR ...
61
63
  Run \fIcommand\fR with the given account active for that process only, by
@@ -97,6 +99,24 @@ Show or change where account tokens are stored. \fBenable\fR moves them into the
97
99
  OS keychain (macOS Keychain, libsecret on Linux, DPAPI on Windows); \fBdisable\fR
98
100
  moves them back to the chmod-600 file vault.
99
101
  .TP
102
+ .B cvx vault \fR<\fBstatus\fR|\fBencrypt\fR|\fBdecrypt\fR|\fBunlock\fR|\fBlock\fR>
103
+ Passphrase-encrypt the stored tokens (AES-256-GCM, scrypt-derived key).
104
+ \fBunlock\fR caches the key for the session (cleared by \fBlock\fR or a
105
+ reboot); while locked, tokens are unreadable and commands point at
106
+ \fBcvx vault unlock\fR. Scripts can set \fBCVX_PASSPHRASE\fR instead.
107
+ .TP
108
+ .B cvx export \fR[\fIfile\fR] / \fBcvx import \fR\fIfile\fR [\fB--force\fR]
109
+ Write a passphrase-encrypted backup of the vault (accounts + links), and
110
+ restore it on another machine. Import merges; existing names are kept unless
111
+ \fB--force\fR.
112
+ .TP
113
+ .B cvx refresh --all
114
+ Re-authenticate every stored account in one sitting (a browser sign-in each).
115
+ .TP
116
+ .B cvx upgrade
117
+ Check for a newer cvx release and print the exact upgrade command for how it
118
+ was installed (Homebrew, npm/bun, or GitHub tarball).
119
+ .TP
100
120
  .B cvx doctor \fR[\fB--no-tokens\fR]
101
121
  Check your setup and report problems: Node/npx availability, whether you have a
102
122
  Convex login, vault integrity, the token storage backend, the active account,
@@ -125,6 +145,13 @@ The Convex CLI's global login, which \fBcvx\fR rewrites.
125
145
  .TP
126
146
  .B NO_COLOR
127
147
  Disable colored output.
148
+ .TP
149
+ .B CVX_HOME
150
+ Relocate everything cvx touches (vault, global Convex config, hook rc files)
151
+ under this directory \(em a fully isolated sandbox for testing.
152
+ .TP
153
+ .B CVX_PASSPHRASE
154
+ Non-interactive passphrase for \fBcvx vault\fR and \fBcvx export\fR/\fBimport\fR.
128
155
  .SH EXAMPLES
129
156
  .PP
130
157
  Add two accounts and wire up projects:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rafay99/cvx",
3
- "version": "0.30.0",
3
+ "version": "0.35.0",
4
4
  "description": "Switch Convex accounts per project automatically — run many Convex accounts across projects at once, no login/logout churn, no deploy keys, no tokens in your repos",
5
5
  "keywords": [
6
6
  "convex", "convex-dev", "convex-cli", "cli", "command-line",
@@ -19,10 +19,10 @@
19
19
  "files": ["launcher.cjs", "cvx.1", "README.md", "LICENSE"],
20
20
  "engines": { "node": ">=16" },
21
21
  "optionalDependencies": {
22
- "@rafay99/cvx-darwin-arm64": "0.30.0",
23
- "@rafay99/cvx-darwin-x64": "0.30.0",
24
- "@rafay99/cvx-linux-x64": "0.30.0",
25
- "@rafay99/cvx-linux-arm64": "0.30.0",
26
- "@rafay99/cvx-win32-x64": "0.30.0"
22
+ "@rafay99/cvx-darwin-arm64": "0.35.0",
23
+ "@rafay99/cvx-darwin-x64": "0.35.0",
24
+ "@rafay99/cvx-linux-x64": "0.35.0",
25
+ "@rafay99/cvx-linux-arm64": "0.35.0",
26
+ "@rafay99/cvx-win32-x64": "0.35.0"
27
27
  }
28
28
  }