@skillrecordings/cli 0.12.0 → 0.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +124 -9
- package/dist/index.js +3549 -569
- package/dist/index.js.map +1 -1
- package/package.json +2 -1
package/README.md
CHANGED
|
@@ -192,22 +192,137 @@ non-interactive operation:
|
|
|
192
192
|
- Check exit codes: 0 = success, 1 = error
|
|
193
193
|
- Never interactive in non-TTY environments (CI/CD safe)
|
|
194
194
|
|
|
195
|
-
##
|
|
195
|
+
## Secrets Management
|
|
196
196
|
|
|
197
|
-
|
|
197
|
+
The CLI uses a layered secrets system:
|
|
198
|
+
|
|
199
|
+
1. **1Password (preferred)** - Service account token resolves secrets directly
|
|
200
|
+
2. **Encrypted `.env.encrypted`** - Age-encrypted env file for offline/CI use
|
|
201
|
+
3. **Plain `.env.local`** - Local development fallback
|
|
202
|
+
|
|
203
|
+
### Secret Resolution Order
|
|
204
|
+
|
|
205
|
+
```
|
|
206
|
+
1Password (OP_SERVICE_ACCOUNT_TOKEN set?)
|
|
207
|
+
↓ yes → resolve from 1Password vault
|
|
208
|
+
↓ no
|
|
209
|
+
.env.encrypted exists + AGE_SECRET_KEY available?
|
|
210
|
+
↓ yes → decrypt and load
|
|
211
|
+
↓ no
|
|
212
|
+
.env.local exists?
|
|
213
|
+
↓ yes → load plain env vars
|
|
214
|
+
↓ no → error: missing secrets
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
### Adding a New Secret
|
|
218
|
+
|
|
219
|
+
**Step 1: Add to `secret-refs.ts`**
|
|
220
|
+
|
|
221
|
+
```typescript
|
|
222
|
+
// packages/cli/src/core/secret-refs.ts
|
|
223
|
+
export const SECRET_REFS = {
|
|
224
|
+
// ... existing secrets
|
|
225
|
+
MY_NEW_KEY: 'op://Support/skill-cli/MY_NEW_KEY',
|
|
226
|
+
} as const
|
|
227
|
+
```
|
|
228
|
+
|
|
229
|
+
**Step 2: Add to 1Password**
|
|
230
|
+
|
|
231
|
+
```bash
|
|
232
|
+
# Using op CLI
|
|
233
|
+
op item edit "skill-cli" --vault "Support" "MY_NEW_KEY=your-secret-value"
|
|
234
|
+
|
|
235
|
+
# Or via 1Password UI:
|
|
236
|
+
# 1. Open Support vault → skill-cli item
|
|
237
|
+
# 2. Add new field: MY_NEW_KEY = your-value
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
**Step 3: Update `.env.encrypted`**
|
|
241
|
+
|
|
242
|
+
```bash
|
|
243
|
+
# Decrypt current secrets
|
|
244
|
+
AGE_KEY=$(op read "op://Support/skill-cli-age-key/password")
|
|
245
|
+
age -d -i <(echo "$AGE_KEY") .env.encrypted > .env.local
|
|
246
|
+
|
|
247
|
+
# Add new secret to .env.local
|
|
248
|
+
echo "MY_NEW_KEY=your-secret-value" >> .env.local
|
|
249
|
+
|
|
250
|
+
# Re-encrypt
|
|
251
|
+
AGE_PUB=$(echo "$AGE_KEY" | age-keygen -y)
|
|
252
|
+
age -r "$AGE_PUB" .env.local > .env.encrypted
|
|
253
|
+
|
|
254
|
+
# Verify
|
|
255
|
+
age -d -i <(echo "$AGE_KEY") .env.encrypted | grep MY_NEW_KEY
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
**Step 4: Commit changes**
|
|
198
259
|
|
|
199
260
|
```bash
|
|
200
|
-
|
|
201
|
-
|
|
261
|
+
git add packages/cli/src/core/secret-refs.ts packages/cli/.env.encrypted
|
|
262
|
+
git commit -m "chore(cli): add MY_NEW_KEY secret"
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
### Updating an Existing Secret
|
|
266
|
+
|
|
267
|
+
```bash
|
|
268
|
+
# 1. Update in 1Password
|
|
269
|
+
op item edit "skill-cli" --vault "Support" "MY_KEY=new-value"
|
|
270
|
+
|
|
271
|
+
# 2. Update .env.encrypted (same process as adding)
|
|
272
|
+
AGE_KEY=$(op read "op://Support/skill-cli-age-key/password")
|
|
273
|
+
age -d -i <(echo "$AGE_KEY") .env.encrypted > .env.local
|
|
274
|
+
|
|
275
|
+
# Edit .env.local with new value
|
|
276
|
+
sed -i '' 's/MY_KEY=.*/MY_KEY=new-value/' .env.local
|
|
277
|
+
|
|
278
|
+
# Re-encrypt
|
|
279
|
+
AGE_PUB=$(echo "$AGE_KEY" | age-keygen -y)
|
|
280
|
+
age -r "$AGE_PUB" .env.local > .env.encrypted
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
### Auth Commands
|
|
284
|
+
|
|
285
|
+
```bash
|
|
286
|
+
# Check current auth status
|
|
287
|
+
skill auth status
|
|
202
288
|
|
|
203
|
-
#
|
|
204
|
-
skill auth
|
|
289
|
+
# Validate 1Password token
|
|
290
|
+
skill auth login
|
|
205
291
|
|
|
206
|
-
#
|
|
207
|
-
skill auth
|
|
292
|
+
# Show service account info
|
|
293
|
+
skill auth whoami
|
|
294
|
+
|
|
295
|
+
# Interactive setup wizard
|
|
296
|
+
skill auth setup
|
|
208
297
|
```
|
|
209
298
|
|
|
210
|
-
|
|
299
|
+
### Key Locations
|
|
300
|
+
|
|
301
|
+
| Item | Location |
|
|
302
|
+
|------|----------|
|
|
303
|
+
| Secrets | `op://Support/skill-cli/*` |
|
|
304
|
+
| Age keypair | `op://Support/skill-cli-age-key/password` |
|
|
305
|
+
| Encrypted env | `packages/cli/.env.encrypted` |
|
|
306
|
+
| Secret refs | `packages/cli/src/core/secret-refs.ts` |
|
|
307
|
+
|
|
308
|
+
### CI/CD Usage
|
|
309
|
+
|
|
310
|
+
For CI environments without 1Password:
|
|
311
|
+
|
|
312
|
+
```bash
|
|
313
|
+
# Set age key as CI secret, then:
|
|
314
|
+
echo "$AGE_SECRET_KEY" > /tmp/age.key
|
|
315
|
+
age -d -i /tmp/age.key .env.encrypted > .env.local
|
|
316
|
+
rm /tmp/age.key
|
|
317
|
+
```
|
|
318
|
+
|
|
319
|
+
Or use 1Password service account:
|
|
320
|
+
|
|
321
|
+
```bash
|
|
322
|
+
export OP_SERVICE_ACCOUNT_TOKEN="$OP_TOKEN"
|
|
323
|
+
skill auth status # Verifies connection
|
|
324
|
+
skill front inbox # Commands auto-resolve secrets
|
|
325
|
+
```
|
|
211
326
|
|
|
212
327
|
## Implementation
|
|
213
328
|
|