@tinycloud/cli 0.5.0-beta.13 → 0.5.1-beta.0

package/README.md

@@ -24,6 +24,11 @@ tc kv put greeting "Hello, world"
 tc kv get greeting
 tc kv list
 
+# Manage network-encrypted secrets on the default network
+tc secrets network init
+tc secrets put ANTHROPIC_API_KEY "sk-..."
+tc secrets get ANTHROPIC_API_KEY
+
 # Manage spaces
 tc space list
 tc space create
@@ -55,12 +60,21 @@ tc delegation create --to did:pkh:eip155:1:0x...
 | `tc profile list` | List profiles |
 | `tc profile show` | Show profile details |
 | `tc profile create` | Create a new profile |
-| `tc vault` | Manage encrypted vaults |
-| `tc secrets` | Manage secrets |
+| `tc vault` | Manage encrypted KV vaults |
+| `tc secrets` | Manage network-encrypted secrets |
+| `tc secrets network show` | Show a secrets decryption network |
+| `tc secrets network init` | Create or fetch the default secrets network |
+| `tc secrets network grant` | Grant `tinycloud.encryption/decrypt` on a secrets network |
 | `tc vars` | Manage environment variables |
 | `tc doctor` | Run diagnostic checks |
 | `tc completion` | Generate shell completions |
 
+Secret names are env-style uppercase identifiers such as `FIREFLIES_API_KEY`.
+`tc secrets network show` accepts either a short network name or a full
+`urn:tinycloud:encryption:<principal>:<network>` identifier. `tc secrets
+network grant` takes the short name, resolves the network, and grants
+`tinycloud.encryption/decrypt`.
+
 ## Global Options
 
 ```

package/dist/index.js

@@ -2643,8 +2643,6 @@ function registerVaultCommand(program2) {
 // src/commands/secrets.ts
 import { readFile as readFile5 } from "fs/promises";
 import { writeFile as writeFile4 } from "fs/promises";
-import { PrivateKeySigner as PrivateKeySigner3 } from "@tinycloud/node-sdk";
-var SECRETS_PREFIX = "secrets/";
 async function readStdin3() {
   const chunks = [];
   for await (const chunk of process.stdin) {
@@ -2652,92 +2650,96 @@ async function readStdin3() {
   }
   return Buffer.concat(chunks);
 }
-function resolvePrivateKey2(options) {
-  const key = options.privateKey || process.env.TC_PRIVATE_KEY;
-  if (!key) {
-    throw new CLIError(
-      "AUTH_REQUIRED",
-      "Private key required. Use --private-key <hex> or set TC_PRIVATE_KEY env var.",
-      ExitCode.AUTH_REQUIRED
-    );
-  }
-  return key;
+function authOptions(options) {
+  const privateKey = options.privateKey || process.env.TC_PRIVATE_KEY;
+  return privateKey ? { privateKey } : void 0;
 }
-async function unlockVault2(node, privateKey) {
-  const signer = new PrivateKeySigner3(privateKey);
-  const result = await node.vault.unlock(signer);
-  if (result && !result.ok) {
-    throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
-  }
+function resolveSecretScope(options) {
+  const scope = options.scope ?? options.space;
+  return scope ? { scope } : void 0;
 }
 function registerSecretsCommand(program2) {
   const secrets = program2.command("secrets").description("Encrypted secrets management");
-  secrets.command("list").description("List secrets").option("--space <spaceId>", "Space to list secrets from (for delegated access)").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (options, cmd) => {
+  const network = secrets.command("network").description("Manage the default secrets encryption network");
+  network.command("show [nameOrNetworkId]").description("Show a secrets encryption network").option("--private-key <hex>", "Ethereum private key override (or set TC_PRIVATE_KEY)").action(async (nameOrNetworkId, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey2(options);
-      const node = await ensureAuthenticated(ctx, { privateKey });
-      await withSpinner("Unlocking vault...", () => unlockVault2(node, privateKey));
-      if (options.space) {
-        throw new CLIError(
-          "NOT_IMPLEMENTED",
-          `Listing secrets from a delegated space (${options.space}) is not yet supported at the SDK level. The vault service currently operates on the space bound to the active session. SDK support for cross-space vault operations is planned.`,
-          ExitCode.ERROR
-        );
-      }
-      const result = await withSpinner("Listing secrets...", () => node.vault.list({ prefix: SECRETS_PREFIX }));
+      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const requested = nameOrNetworkId ?? "default";
+      const networkId = requested.startsWith("urn:tinycloud:encryption:") ? requested : node.getDefaultEncryptionNetworkId(requested);
+      const descriptor = await withSpinner(
+        "Fetching encryption network...",
+        () => node.getEncryptionNetwork(requested)
+      );
+      outputJson({
+        networkId,
+        exists: descriptor !== null,
+        ...descriptor ? { descriptor } : {}
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  network.command("init [name]").description("Create a secrets encryption network if needed").option("--private-key <hex>", "Ethereum private key override (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const descriptor = await withSpinner(
+        "Ensuring encryption network...",
+        () => node.ensureEncryptionNetwork(name ?? "default")
+      );
+      outputJson({
+        networkId: descriptor.networkId,
+        state: descriptor.state,
+        descriptor
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  secrets.command("list").description("List secrets").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const scopeOptions = resolveSecretScope(options);
+      const result = await withSpinner(
+        "Listing secrets...",
+        () => node.secrets.list(scopeOptions)
+      );
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
-      const keys = result.data.data ?? result.data;
-      const keyList = Array.isArray(keys) ? keys : [];
-      const secretNames = keyList.map(
-        (k) => typeof k === "string" && k.startsWith(SECRETS_PREFIX) ? k.slice(SECRETS_PREFIX.length) : k
-      );
+      const secretNames = Array.isArray(result.data) ? result.data : [];
+      const scope = options.scope ?? options.space;
       outputJson({
         secrets: secretNames,
         count: secretNames.length,
-        ...options.space ? { space: options.space } : {}
+        ...scope ? { scope } : {}
       });
     } catch (error) {
       handleError(error);
     }
   });
-  secrets.command("get <name>").description("Get a secret value").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
+  secrets.command("get <name>").description("Get a secret value").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey2(options);
-      const node = await ensureAuthenticated(ctx, { privateKey });
-      await withSpinner("Unlocking vault...", () => unlockVault2(node, privateKey));
-      const vaultKey = `${SECRETS_PREFIX}${name}`;
-      const result = await withSpinner(`Getting secret ${name}...`, () => node.vault.get(vaultKey));
+      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const scopeOptions = resolveSecretScope(options);
+      const result = await withSpinner(
+        `Getting secret ${name}...`,
+        () => node.secrets.get(name, scopeOptions)
+      );
       if (!result.ok) {
-        if (result.error.code === "NOT_FOUND") {
+        if (result.error.code === "NOT_FOUND" || result.error.code === "KEY_NOT_FOUND") {
           throw new CLIError("NOT_FOUND", `Secret "${name}" not found`, ExitCode.NOT_FOUND);
         }
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
-      const data = result.data.data ?? result.data;
-      let value;
-      if (typeof data === "string") {
-        try {
-          const parsed = JSON.parse(data);
-          value = parsed.value;
-        } catch {
-          value = data;
-        }
-      } else if (data instanceof Uint8Array) {
-        try {
-          const parsed = JSON.parse(Buffer.from(data).toString("utf-8"));
-          value = parsed.value;
-        } catch {
-          value = Buffer.from(data).toString("utf-8");
-        }
-      } else {
-        value = data.value ?? data;
-      }
+      const value = String(result.data);
       if (options.output) {
         await writeFile4(options.output, value);
         outputJson({ name, written: options.output });
@@ -2752,13 +2754,11 @@ function registerSecretsCommand(program2) {
       handleError(error);
     }
   });
-  secrets.command("put <name> [value]").description("Store a secret").option("--file <path>", "Read value from file").option("--stdin", "Read value from stdin").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, value, options, cmd) => {
+  secrets.command("put <name> [value]").description("Store a secret").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--file <path>", "Read value from file").option("--stdin", "Read value from stdin").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, value, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey2(options);
-      const node = await ensureAuthenticated(ctx, { privateKey });
-      await withSpinner("Unlocking vault...", () => unlockVault2(node, privateKey));
+      const node = await ensureAuthenticated(ctx, authOptions(options));
       let secretValue;
       const sources = [value !== void 0, !!options.file, !!options.stdin].filter(Boolean);
       if (sources.length === 0) {
@@ -2774,12 +2774,11 @@ function registerSecretsCommand(program2) {
       } else {
         secretValue = value;
       }
-      const payload = JSON.stringify({
-        value: secretValue,
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
-      });
-      const vaultKey = `${SECRETS_PREFIX}${name}`;
-      const result = await withSpinner(`Storing secret ${name}...`, () => node.vault.put(vaultKey, payload));
+      const scopeOptions = resolveSecretScope(options);
+      const result = await withSpinner(
+        `Storing secret ${name}...`,
+        () => node.secrets.put(name, secretValue, scopeOptions)
+      );
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2788,15 +2787,16 @@ function registerSecretsCommand(program2) {
       handleError(error);
     }
   });
-  secrets.command("delete <name>").description("Delete a secret").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
+  secrets.command("delete <name>").description("Delete a secret").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey2(options);
-      const node = await ensureAuthenticated(ctx, { privateKey });
-      await withSpinner("Unlocking vault...", () => unlockVault2(node, privateKey));
-      const vaultKey = `${SECRETS_PREFIX}${name}`;
-      const result = await withSpinner(`Deleting secret ${name}...`, () => node.vault.delete(vaultKey));
+      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const scopeOptions = resolveSecretScope(options);
+      const result = await withSpinner(
+        `Deleting secret ${name}...`,
+        () => node.secrets.delete(name, scopeOptions)
+      );
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2805,6 +2805,37 @@ function registerSecretsCommand(program2) {
       handleError(error);
     }
   });
+  network.command("grant <recipientDid> [name]").description("Grant decrypt permission for a secrets encryption network").option("--private-key <hex>", "Ethereum private key override (or set TC_PRIVATE_KEY)").action(async (recipientDid, name, options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      const node = await ensureAuthenticated(ctx, authOptions(options));
+      const networkName = name ?? "default";
+      const descriptor = await withSpinner(
+        "Ensuring encryption network...",
+        () => node.ensureEncryptionNetwork(networkName)
+      );
+      const permission = {
+        service: "tinycloud.encryption",
+        path: descriptor.networkId,
+        actions: ["decrypt"]
+      };
+      const result = await withSpinner(
+        `Granting decrypt permission to ${recipientDid}...`,
+        () => node.delegateTo(recipientDid, [permission])
+      );
+      outputJson({
+        networkId: descriptor.networkId,
+        recipientDid,
+        cid: result.delegation.cid,
+        prompted: result.prompted,
+        path: result.delegation.path,
+        actions: result.delegation.actions
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
   secrets.command("manage").description("Open the TinyCloud Secrets Manager in your browser").action(async () => {
     try {
       const open = (await import("open")).default;
@@ -2827,7 +2858,7 @@ async function readStdin4() {
   }
   return Buffer.concat(chunks);
 }
-function resolvePrivateKey3(options) {
+function resolvePrivateKey2(options) {
   const key = options.privateKey || process.env.TC_PRIVATE_KEY;
   if (!key) {
     throw new CLIError(
@@ -2844,7 +2875,7 @@ function registerVarsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey3(options);
+      const privateKey = resolvePrivateKey2(options);
       const node = await ensureAuthenticated(ctx, { privateKey });
       const prefixedKv = node.kv.withPrefix(VARIABLES_PREFIX);
       const result = await withSpinner("Listing variables...", () => prefixedKv.list());
@@ -2865,7 +2896,7 @@ function registerVarsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey3(options);
+      const privateKey = resolvePrivateKey2(options);
       const node = await ensureAuthenticated(ctx, { privateKey });
       const prefixedKv = node.kv.withPrefix(VARIABLES_PREFIX);
       const result = await withSpinner(`Getting variable ${name}...`, () => prefixedKv.get(name));
@@ -2907,7 +2938,7 @@ function registerVarsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey3(options);
+      const privateKey = resolvePrivateKey2(options);
       const node = await ensureAuthenticated(ctx, { privateKey });
       let varValue;
       const sources = [value !== void 0, !!options.file, !!options.stdin].filter(Boolean);
@@ -2942,7 +2973,7 @@ function registerVarsCommand(program2) {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      const privateKey = resolvePrivateKey3(options);
+      const privateKey = resolvePrivateKey2(options);
       const node = await ensureAuthenticated(ctx, { privateKey });
       const prefixedKv = node.kv.withPrefix(VARIABLES_PREFIX);
       const result = await withSpinner(`Deleting variable ${name}...`, () => prefixedKv.delete(name));
@@ -3733,6 +3764,7 @@ ${theme.heading("Examples:")}
   ${theme.command("tc auth login")}                        ${theme.muted("Authenticate via browser")}
   ${theme.command('tc kv put greeting "Hello"')}           ${theme.muted("Store a value")}
   ${theme.command("tc kv list")}                           ${theme.muted("List all keys")}
+  ${theme.command("tc secrets network init")}              ${theme.muted("Create the default secrets network")}
   ${theme.command("tc delegation create --to did:pkh:...")}  ${theme.muted("Grant access to another user")}
   ${theme.command("tc space list")}                        ${theme.muted("Show your spaces")}