npm - @secretstash/cli - Versions diffs - 0.1.4 → 0.1.8 - Mend

@secretstash/cli 0.1.4 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -32,13 +32,38 @@ brew install secretstash/tap/sstash
 ### Authentication
+The CLI uses browser-based authentication by default, supporting passkeys, OAuth (GitHub/Google), and 2FA:
+```bash
+# Login via browser (opens browser window)
+sstash login
+# This will:
+# 1. Generate a session code
+# 2. Open your default browser to complete authentication
+# 3. Wait for you to sign in (passkey, OAuth, or email/password)
+# 4. Automatically complete CLI authentication
+# Check who you're logged in as
+sstash whoami
+# Logout
+sstash logout
+```
+#### Service Token Authentication (CI/CD)
+For automated workflows, use service tokens instead of browser authentication:
 ```bash
-# Login to SecretStash
-sstash auth login
+# Set service token as environment variable
+export SECRETSTASH_TOKEN=stk_your-service-token
+# Or login with token directly
+sstash login --token stk_your-service-token
-# Login with service token (for CI/CD)
-export SECRETSTASH_TOKEN=your-service-token
-sstash auth status
+# Verify token works
+sstash teams
 ```
 ### Working with Secrets
@@ -285,25 +310,51 @@ For CI/CD and automated workflows, use service tokens instead of user credential
 ## Commands Reference
+### Authentication
+| Command | Description |
+|---------|-------------|
+| `sstash login` | Authenticate via browser (passkeys, OAuth, 2FA) |
+| `sstash login --token <token>` | Authenticate with service token |
+| `sstash logout` | Clear authentication |
+| `sstash whoami` | Show current user/token info |
+| `sstash 2fa setup` | Set up two-factor authentication |
+| `sstash register` | Create a new SecretStash account |
+### Secrets
 | Command | Description |
 |---------|-------------|
-| `sstash auth login` | Authenticate with SecretStash |
-| `sstash auth logout` | Clear authentication |
-| `sstash auth status` | Show authentication status |
 | `sstash pull` | Pull secrets from SecretStash |
 | `sstash push` | Push secrets to SecretStash |
-| `sstash list` | List secrets in an environment |
-| `sstash get <key>` | Get a specific secret |
-| `sstash set <key>=<value>` | Set a specific secret |
-| `sstash delete <key>` | Delete a specific secret |
+| `sstash secrets list` | List secrets in an environment |
+| `sstash secrets get <key>` | Get a specific secret |
+| `sstash secrets set <key>=<value>` | Set a specific secret |
+| `sstash secrets delete <key>` | Delete a specific secret |
+| `sstash secrets history <key>` | View version history for a secret |
+| `sstash secrets rollback <key>` | Rollback to a previous version |
+| `sstash secrets tag <key> <tag>` | Add a tag to a secret |
+| `sstash secrets untag <key> <tag>` | Remove a tag from a secret |
+| `sstash secrets expiring` | List secrets expiring soon |
 | `sstash run` | Run a command with secrets injected |
 | `sstash diff` | Compare local and remote secrets |
-| `sstash projects list` | List available projects |
-| `sstash projects use <name>` | Switch project context |
-| `sstash environments list` | List environments |
+### Organization
+| Command | Description |
+|---------|-------------|
+| `sstash teams` | List teams |
+| `sstash teams use <slug>` | Switch team context |
+| `sstash projects` | List projects in current team |
+| `sstash projects use <slug>` | Switch project context |
+| `sstash environments` | List environments in current project |
 | `sstash environments create <name>` | Create a new environment |
-| `sstash teams list` | List teams |
-| `sstash teams switch <name>` | Switch team context |
+### Tags & Shares
+| Command | Description |
+|---------|-------------|
+| `sstash tags` | List tags in current team |
+| `sstash tags create <name>` | Create a new tag |
+| `sstash share create <key>` | Create a share link for a secret |
+| `sstash share list` | List active share links |
+| `sstash share revoke <id>` | Revoke a share link |
 Use `sstash --help` or `sstash <command> --help` for detailed usage information.

package/dist/index.js CHANGED Viewed

@@ -5,7 +5,7 @@ import { Command } from "commander";
 import chalk3 from "chalk";
 import { readFileSync as readFileSync4 } from "fs";
 import { fileURLToPath } from "url";
-import { dirname as dirname2, join as join2 } from "path";
+import { dirname, join as join2 } from "path";
 // src/commands/auth.ts
 import enquirer from "enquirer";
@@ -306,7 +306,7 @@ var ApiClient = class {
     const refreshToken = configManager.getRefreshToken();
     if (!refreshToken) return false;
     try {
-      const response = await fetch(`${configManager.getApiUrl()}/api/auth/refresh`, {
+      const response = await fetch(`${configManager.getApiUrl()}/api/v1/auth/refresh`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json"
@@ -317,11 +317,12 @@ var ApiClient = class {
         configManager.logout();
         return false;
       }
-      const data = await response.json();
+      const json = await response.json();
+      const tokens = json.data?.tokens || json.data || json;
       configManager.setTokens(
-        data.accessToken,
-        data.refreshToken,
-        data.expiresIn || 900
+        tokens.accessToken,
+        tokens.refreshToken,
+        tokens.expiresIn || 900
       );
       return true;
     } catch {
@@ -358,17 +359,17 @@ var ApiClient = class {
         headers: requestHeaders,
         body: body ? JSON.stringify(body) : void 0
       });
-      const data = await response.json();
+      const json = await response.json();
       if (!response.ok) {
         return {
           error: {
-            code: data.code || "API_ERROR",
-            message: data.message || `Request failed with status ${response.status}`,
-            details: data.details
+            code: json.code || json.error?.code || "API_ERROR",
+            message: json.message || json.error?.message || `Request failed with status ${response.status}`,
+            details: json.details || json.error?.details
           }
         };
       }
-      return { data };
+      return { data: json.data };
     } catch (error) {
       return {
         error: {
@@ -380,7 +381,7 @@ var ApiClient = class {
   }
   // Auth endpoints
   async login(email, password) {
-    return this.request("/api/auth/login", {
+    return this.request("/api/v1/auth/login", {
       method: "POST",
       body: { email, password, client: "cli" },
       requireAuth: false
@@ -399,14 +400,14 @@ var ApiClient = class {
     });
   }
   async verify2FA(tempToken, code) {
-    return this.request("/api/auth/2fa/verify", {
+    return this.request("/api/v1/auth/verify-2fa", {
       method: "POST",
-      body: { tempToken, code },
+      body: { tempToken, token: code },
       requireAuth: false
     });
   }
   async register(email, password) {
-    return this.request("/api/auth/register", {
+    return this.request("/api/v1/auth/register", {
       method: "POST",
       body: { email, password },
       requireAuth: false
@@ -415,7 +416,7 @@ var ApiClient = class {
   async logout() {
     const refreshToken = configManager.getRefreshToken();
     if (refreshToken) {
-      await this.request("/api/auth/logout", {
+      await this.request("/api/v1/auth/logout", {
         method: "POST",
         body: { refreshToken }
       });
@@ -423,39 +424,39 @@ var ApiClient = class {
     configManager.logout();
   }
   async getMe() {
-    return this.request("/api/users/me");
+    return this.request("/api/v1/users/me");
   }
   // Team endpoints
   async getTeams() {
-    return this.request("/api/teams");
+    return this.request("/api/v1/teams");
   }
   async createTeam(name) {
-    return this.request("/api/teams", {
+    return this.request("/api/v1/teams", {
       method: "POST",
       body: { name }
     });
   }
   // Project endpoints
   async getProjects(teamId) {
-    return this.request(`/api/teams/${teamId}/projects`);
+    return this.request(`/api/v1/teams/${teamId}/projects`);
   }
   async createProject(teamId, name, description) {
-    return this.request(`/api/teams/${teamId}/projects`, {
+    return this.request(`/api/v1/teams/${teamId}/projects`, {
       method: "POST",
       body: { name, description }
     });
   }
   async deleteProject(projectId) {
-    return this.request(`/api/projects/${projectId}`, {
+    return this.request(`/api/v1/projects/${projectId}`, {
       method: "DELETE"
     });
   }
   // Environment endpoints
   async getEnvironments(projectId) {
-    return this.request(`/api/projects/${projectId}/environments`);
+    return this.request(`/api/v1/projects/${projectId}/environments`);
   }
   async createEnvironment(projectId, name, parentId) {
-    return this.request(`/api/projects/${projectId}/environments`, {
+    return this.request(`/api/v1/projects/${projectId}/environments`, {
       method: "POST",
       body: { name, parentId }
     });
@@ -467,29 +468,29 @@ var ApiClient = class {
   }
   // Secret endpoints (keys only, no decryption)
   async getSecrets(environmentId) {
-    return this.request(`/api/environments/${environmentId}/secrets`);
+    return this.request(`/api/v1/environments/${environmentId}/secrets`);
   }
   // Decrypted secrets (requires password)
   async getDecryptedSecrets(environmentId, password) {
-    return this.request(`/api/environments/${environmentId}/secrets/decrypt`, {
+    return this.request(`/api/v1/environments/${environmentId}/secrets/decrypt`, {
       method: "POST",
       body: { password }
     });
   }
   async createSecret(environmentId, key, value, password, description) {
-    return this.request(`/api/environments/${environmentId}/secrets`, {
+    return this.request(`/api/v1/environments/${environmentId}/secrets`, {
       method: "POST",
       body: { key, value, password, description }
     });
   }
   async updateSecret(secretId, value, password, description) {
-    return this.request(`/api/secrets/${secretId}`, {
+    return this.request(`/api/v1/secrets/${secretId}`, {
       method: "PATCH",
       body: { value, password, description }
     });
   }
   async deleteSecret(secretId) {
-    return this.request(`/api/secrets/${secretId}`, {
+    return this.request(`/api/v1/secrets/${secretId}`, {
       method: "DELETE"
     });
   }
@@ -497,58 +498,58 @@ var ApiClient = class {
   async pullSecrets(teamSlug, projectSlug, environment, password, options) {
     const includeInherited = options?.includeInherited ?? true;
     const query = includeInherited ? "" : "?includeInherited=false";
-    return this.request(`/api/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/decrypt${query}`, {
+    return this.request(`/api/v1/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/decrypt${query}`, {
       method: "POST",
       body: { password }
     });
   }
   async pushSecrets(teamSlug, projectSlug, environment, secrets, password) {
-    return this.request(`/api/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/bulk`, {
+    return this.request(`/api/v1/teams/${teamSlug}/projects/${projectSlug}/environments/${environment}/secrets/bulk`, {
       method: "PUT",
       body: { secrets, password }
     });
   }
   // 2FA endpoints
   async setup2FA() {
-    return this.request("/api/users/me/2fa/setup", {
+    return this.request("/api/v1/users/me/2fa/setup", {
       method: "POST"
     });
   }
   async enable2FA(code) {
-    return this.request("/api/users/me/2fa/enable", {
+    return this.request("/api/v1/users/me/2fa/verify", {
       method: "POST",
       body: { code }
     });
   }
   async disable2FA(code) {
-    return this.request("/api/users/me/2fa/disable", {
-      method: "POST",
+    return this.request("/api/v1/users/me/2fa", {
+      method: "DELETE",
       body: { code }
     });
   }
   // Team member endpoints
   async getTeamMembers(teamId) {
-    return this.request(`/api/teams/${teamId}/members`);
+    return this.request(`/api/v1/teams/${teamId}/members`);
   }
   async inviteTeamMember(teamId, email, role) {
-    return this.request(`/api/teams/${teamId}/invitations`, {
+    return this.request(`/api/v1/teams/${teamId}/invitations`, {
       method: "POST",
       body: { email, role }
     });
   }
   async removeTeamMember(teamId, memberId) {
-    return this.request(`/api/teams/${teamId}/members/${memberId}`, {
+    return this.request(`/api/v1/teams/${teamId}/members/${memberId}`, {
       method: "DELETE"
     });
   }
   async updateTeamMemberRole(teamId, memberId, role) {
-    return this.request(`/api/teams/${teamId}/members/${memberId}`, {
+    return this.request(`/api/v1/teams/${teamId}/members/${memberId}`, {
       method: "PATCH",
       body: { role }
     });
   }
   async getPendingInvitations(teamId) {
-    return this.request(`/api/teams/${teamId}/invitations`);
+    return this.request(`/api/v1/teams/${teamId}/invitations`);
   }
   // Share link endpoints
   async createShare(teamSlug, projectSlug, environment, secretKey, options) {
@@ -574,7 +575,7 @@ var ApiClient = class {
   }
   // Service token verification - make a request to validate the token works
   async verifyServiceToken(token) {
-    return this.request("/api/teams", {
+    return this.request("/api/v1/teams", {
       headers: {
         "Authorization": `Bearer ${token}`
       },
@@ -1045,7 +1046,7 @@ function registerAuthCommands(program2) {
     ui.heading("Two-Factor Authentication Setup");
     ui.info("Scan this QR code with your authenticator app:");
     ui.br();
-    qrcode.generate(result.data.qrCodeUrl, { small: true });
+    qrcode.generate(result.data.otpauthUrl, { small: true });
     ui.br();
     ui.subheading("Or enter this secret manually:");
     console.log(colors.primary.bold(`  ${result.data.secret}`));
@@ -1106,7 +1107,7 @@ function registerAuthCommands(program2) {
         return true;
       }
     });
-    const { confirmPassword } = await prompt({
+    await prompt({
       type: "password",
       name: "confirmPassword",
       message: "Confirm Password:",
@@ -2834,12 +2835,37 @@ function registerSecretCommands(program2) {
     }
     const ctx = requireContext();
     const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
     const currentTeam = configManager.getCurrentTeam();
     if (!currentTeam) {
       ui.error("No team selected. Run `sstash teams use <slug>` first.");
       process.exit(1);
     }
     const spinner = ui.spinner("Looking up secret and tag...");
+    const projectsResult = await apiClient.getProjects(currentTeam.id);
+    if (projectsResult.error) {
+      spinner.fail();
+      ui.error(projectsResult.error.message);
+      process.exit(1);
+    }
+    const project = projectsResult.data?.projects.find((p) => p.slug === projectSlug);
+    if (!project) {
+      spinner.fail();
+      ui.error(`Project "${projectSlug}" not found`);
+      process.exit(1);
+    }
+    const envsResult = await apiClient.getEnvironments(project.id);
+    if (envsResult.error) {
+      spinner.fail();
+      ui.error(envsResult.error.message);
+      process.exit(1);
+    }
+    const env = envsResult.data?.environments.find((e) => e.slug === environment || e.name.toLowerCase() === environment.toLowerCase());
+    if (!env) {
+      spinner.fail();
+      ui.error(`Environment "${environment}" not found`);
+      process.exit(1);
+    }
     const tagsResult = await apiClient.getTags(currentTeam.id);
     if (tagsResult.error) {
       spinner.fail();
@@ -2855,7 +2881,7 @@ function registerSecretCommands(program2) {
       ui.info(`Create it with ${ui.code(`sstash tags create ${tagname}`)}`);
       process.exit(1);
     }
-    const secretsResult = await apiClient.getSecrets(environment);
+    const secretsResult = await apiClient.getSecrets(env.id);
     if (secretsResult.error) {
       spinner.fail();
       ui.error(secretsResult.error.message);
@@ -2889,12 +2915,37 @@ function registerSecretCommands(program2) {
     }
     const ctx = requireContext();
     const environment = options.env || ctx.environment;
+    const projectSlug = options.project || ctx.projectSlug;
     const currentTeam = configManager.getCurrentTeam();
     if (!currentTeam) {
       ui.error("No team selected. Run `sstash teams use <slug>` first.");
       process.exit(1);
     }
     const spinner = ui.spinner("Looking up secret and tag...");
+    const projectsResult = await apiClient.getProjects(currentTeam.id);
+    if (projectsResult.error) {
+      spinner.fail();
+      ui.error(projectsResult.error.message);
+      process.exit(1);
+    }
+    const project = projectsResult.data?.projects.find((p) => p.slug === projectSlug);
+    if (!project) {
+      spinner.fail();
+      ui.error(`Project "${projectSlug}" not found`);
+      process.exit(1);
+    }
+    const envsResult = await apiClient.getEnvironments(project.id);
+    if (envsResult.error) {
+      spinner.fail();
+      ui.error(envsResult.error.message);
+      process.exit(1);
+    }
+    const env = envsResult.data?.environments.find((e) => e.slug === environment || e.name.toLowerCase() === environment.toLowerCase());
+    if (!env) {
+      spinner.fail();
+      ui.error(`Environment "${environment}" not found`);
+      process.exit(1);
+    }
     const tagsResult = await apiClient.getTags(currentTeam.id);
     if (tagsResult.error) {
       spinner.fail();
@@ -2909,7 +2960,7 @@ function registerSecretCommands(program2) {
       ui.error(`Tag "${tagname}" not found`);
       process.exit(1);
     }
-    const secretsResult = await apiClient.getSecrets(environment);
+    const secretsResult = await apiClient.getSecrets(env.id);
     if (secretsResult.error) {
       spinner.fail();
       ui.error(secretsResult.error.message);
@@ -4076,7 +4127,7 @@ function registerExecCommand(program2) {
 }
 // src/index.ts
-var __dirname = dirname2(fileURLToPath(import.meta.url));
+var __dirname = dirname(fileURLToPath(import.meta.url));
 var version = "0.1.0";
 try {
   const pkg = JSON.parse(readFileSync4(join2(__dirname, "..", "package.json"), "utf-8"));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@secretstash/cli",
-  "version": "0.1.4",
+  "version": "0.1.8",
   "description": "CLI tool for SecretStash - secure team secrets management",
   "type": "module",
   "main": "dist/index.js",