@skillrecordings/cli 0.11.2 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +134 -9
  2. package/dist/index.js +3392 -237
  3. package/dist/index.js.map +1 -1
  4. package/package.json +2 -1
package/README.md CHANGED
@@ -14,6 +14,16 @@ skill <command> [options]
14
14
  All commands support `--json` for machine-readable output and reliable exit
15
15
  codes.
16
16
 
17
+ ## Adaptive Hints
18
+
19
+ The CLI prints adaptive onboarding/discovery hints to `stderr` for new users.
20
+ Hints learn from usage and fade as you run more commands.
21
+
22
+ **Opt out:**
23
+ - Use `--quiet`
24
+ - Use `--json`
25
+ - Pipe output (non-TTY)
26
+
17
27
  ## Commands
18
28
 
19
29
  ### `skill init <name>`
@@ -182,22 +192,137 @@ non-interactive operation:
182
192
  - Check exit codes: 0 = success, 1 = error
183
193
  - Never interactive in non-TTY environments (CI/CD safe)
184
194
 
185
- ## Auth (Encrypted Secrets)
195
+ ## Secrets Management
196
+
197
+ The CLI uses a layered secrets system:
198
+
199
+ 1. **1Password (preferred)** - Service account token resolves secrets directly
200
+ 2. **Encrypted `.env.encrypted`** - Age-encrypted env file for offline/CI use
201
+ 3. **Plain `.env.local`** - Local development fallback
202
+
203
+ ### Secret Resolution Order
204
+
205
+ ```
206
+ 1Password (OP_SERVICE_ACCOUNT_TOKEN set?)
207
+ ↓ yes → resolve from 1Password vault
208
+ ↓ no
209
+ .env.encrypted exists + AGE_SECRET_KEY available?
210
+ ↓ yes → decrypt and load
211
+ ↓ no
212
+ .env.local exists?
213
+ ↓ yes → load plain env vars
214
+ ↓ no → error: missing secrets
215
+ ```
216
+
217
+ ### Adding a New Secret
218
+
219
+ **Step 1: Add to `secret-refs.ts`**
220
+
221
+ ```typescript
222
+ // packages/cli/src/core/secret-refs.ts
223
+ export const SECRET_REFS = {
224
+ // ... existing secrets
225
+ MY_NEW_KEY: 'op://Support/skill-cli/MY_NEW_KEY',
226
+ } as const
227
+ ```
228
+
229
+ **Step 2: Add to 1Password**
230
+
231
+ ```bash
232
+ # Using op CLI
233
+ op item edit "skill-cli" --vault "Support" "MY_NEW_KEY=your-secret-value"
234
+
235
+ # Or via 1Password UI:
236
+ # 1. Open Support vault → skill-cli item
237
+ # 2. Add new field: MY_NEW_KEY = your-value
238
+ ```
186
239
 
187
- Distribute CLI secrets to team members via age encryption + 1Password.
240
+ **Step 3: Update `.env.encrypted`**
188
241
 
189
242
  ```bash
190
- # Generate keypair (admin)
191
- skill auth keygen
243
+ # Decrypt current secrets
244
+ AGE_KEY=$(op read "op://Support/skill-cli-age-key/password")
245
+ age -d -i <(echo "$AGE_KEY") .env.encrypted > .env.local
192
246
 
193
- # Encrypt secrets (admin)
194
- skill auth encrypt .env.local
247
+ # Add new secret to .env.local
248
+ echo "MY_NEW_KEY=your-secret-value" >> .env.local
195
249
 
196
- # Decrypt secrets (team)
197
- skill auth decrypt .env.local.age --output .env.local
250
+ # Re-encrypt
251
+ AGE_PUB=$(echo "$AGE_KEY" | age-keygen -y)
252
+ age -r "$AGE_PUB" .env.local > .env.encrypted
253
+
254
+ # Verify
255
+ age -d -i <(echo "$AGE_KEY") .env.encrypted | grep MY_NEW_KEY
256
+ ```
257
+
258
+ **Step 4: Commit changes**
259
+
260
+ ```bash
261
+ git add packages/cli/src/core/secret-refs.ts packages/cli/.env.encrypted
262
+ git commit -m "chore(cli): add MY_NEW_KEY secret"
198
263
  ```
199
264
 
200
- See [docs/CLI-AUTH.md](./docs/CLI-AUTH.md) for complete setup guide.
265
+ ### Updating an Existing Secret
266
+
267
+ ```bash
268
+ # 1. Update in 1Password
269
+ op item edit "skill-cli" --vault "Support" "MY_KEY=new-value"
270
+
271
+ # 2. Update .env.encrypted (same process as adding)
272
+ AGE_KEY=$(op read "op://Support/skill-cli-age-key/password")
273
+ age -d -i <(echo "$AGE_KEY") .env.encrypted > .env.local
274
+
275
+ # Edit .env.local with new value
276
+ sed -i '' 's/MY_KEY=.*/MY_KEY=new-value/' .env.local
277
+
278
+ # Re-encrypt
279
+ AGE_PUB=$(echo "$AGE_KEY" | age-keygen -y)
280
+ age -r "$AGE_PUB" .env.local > .env.encrypted
281
+ ```
282
+
283
+ ### Auth Commands
284
+
285
+ ```bash
286
+ # Check current auth status
287
+ skill auth status
288
+
289
+ # Validate 1Password token
290
+ skill auth login
291
+
292
+ # Show service account info
293
+ skill auth whoami
294
+
295
+ # Interactive setup wizard
296
+ skill auth setup
297
+ ```
298
+
299
+ ### Key Locations
300
+
301
+ | Item | Location |
302
+ |------|----------|
303
+ | Secrets | `op://Support/skill-cli/*` |
304
+ | Age keypair | `op://Support/skill-cli-age-key/password` |
305
+ | Encrypted env | `packages/cli/.env.encrypted` |
306
+ | Secret refs | `packages/cli/src/core/secret-refs.ts` |
307
+
308
+ ### CI/CD Usage
309
+
310
+ For CI environments without 1Password:
311
+
312
+ ```bash
313
+ # Set age key as CI secret, then:
314
+ echo "$AGE_SECRET_KEY" > /tmp/age.key
315
+ age -d -i /tmp/age.key .env.encrypted > .env.local
316
+ rm /tmp/age.key
317
+ ```
318
+
319
+ Or use 1Password service account:
320
+
321
+ ```bash
322
+ export OP_SERVICE_ACCOUNT_TOKEN="$OP_TOKEN"
323
+ skill auth status # Verifies connection
324
+ skill front inbox # Commands auto-resolve secrets
325
+ ```
201
326
 
202
327
  ## Implementation
203
328