envsec 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 David Nussio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,15 @@
+# secenv
+
+To install dependencies:
+
+```bash
+bun install
+```
+
+To run:
+
+```bash
+bun run index.ts
+```
+
+This project was created using `bun init` in bun v1.3.10. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.

package/dist/cli/add.js

@@ -0,0 +1,28 @@
+import { Command, Options, Args } from "@effect/cli";
+import { Effect, Option } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+const key = Args.text({ name: "key" });
+const wordOption = Options.text("word").pipe(Options.withAlias("w"), Options.withDescription("String value to store"), Options.optional);
+const digitOption = Options.text("digit").pipe(Options.withAlias("d"), Options.withDescription("Number value to store"), Options.optional);
+const boolOption = Options.boolean("bool").pipe(Options.withAlias("b"), Options.withDescription("Boolean flag to store (presence = true)"));
+export const addCommand = Command.make("add", { key, word: wordOption, digit: digitOption, bool: boolOption }, ({ key, word, digit, bool }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    if (Option.isSome(word)) {
+        yield* SecretStore.set(env, key, word.value, "string");
+    }
+    else if (Option.isSome(digit)) {
+        const num = Number(digit.value);
+        if (isNaN(num)) {
+            return yield* Effect.fail(new Error(`Invalid number: ${digit.value}`));
+        }
+        yield* SecretStore.set(env, key, digit.value, "number");
+    }
+    else if (bool) {
+        yield* SecretStore.set(env, key, "true", "boolean");
+    }
+    else {
+        yield* SecretStore.set(env, key, "false", "boolean");
+    }
+    yield* Effect.log(`Secret "${key}" stored in env "${env}"`);
+}));

package/dist/cli/list.js

@@ -0,0 +1,15 @@
+import { Command } from "@effect/cli";
+import { Effect, Console } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+export const listCommand = Command.make("list", {}, () => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    const results = yield* SecretStore.list(env);
+    if (results.length === 0) {
+        yield* Console.log("No secrets found.");
+        return;
+    }
+    for (const item of results) {
+        yield* Console.log(`${item.key}  (${item.type})  updated: ${item.updated_at}`);
+    }
+}));

package/dist/cli/read.js

@@ -0,0 +1,10 @@
+import { Command, Args } from "@effect/cli";
+import { Effect, Console } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+const key = Args.text({ name: "key" });
+export const readCommand = Command.make("read", { key }, ({ key }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    const value = yield* SecretStore.get(env, key);
+    yield* Console.log(String(value));
+}));

package/dist/cli/root.js

@@ -0,0 +1,3 @@
+import { Command, Options } from "@effect/cli";
+const env = Options.text("env").pipe(Options.withAlias("e"), Options.withDescription("Environment name (e.g. dev, staging, prod)"));
+export const rootCommand = Command.make("secenv", { env });

package/dist/cli/search.js

@@ -0,0 +1,16 @@
+import { Command, Args } from "@effect/cli";
+import { Effect, Console } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+const pattern = Args.text({ name: "pattern" });
+export const searchCommand = Command.make("search", { pattern }, ({ pattern }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    const results = yield* SecretStore.search(env, pattern);
+    if (results.length === 0) {
+        yield* Console.log("No secrets found.");
+        return;
+    }
+    for (const item of results) {
+        yield* Console.log(`${item.key}  (${item.type})`);
+    }
+}));

package/dist/domain/SecretKey.js

@@ -0,0 +1,17 @@
+import { Effect } from "effect";
+import { InvalidKeyError } from "../errors.js";
+export const parse = Effect.fn("SecretKey.parse")(function* (key, env) {
+    const parts = key.split(".");
+    if (parts.length < 2) {
+        return yield* new InvalidKeyError({
+            key,
+            message: `Key "${key}" must have at least 2 dot-separated parts (e.g. "service.account")`,
+        });
+    }
+    const account = parts[parts.length - 1];
+    const serviceParts = parts.slice(0, -1);
+    return {
+        service: `secenv.${env}.${serviceParts.join(".")}`,
+        account,
+    };
+});

package/dist/errors.js

@@ -0,0 +1,23 @@
+import { Schema } from "effect";
+export class SecretNotFoundError extends Schema.TaggedError()("SecretNotFoundError", {
+    key: Schema.String,
+    env: Schema.String,
+    message: Schema.String,
+}) {
+}
+export class KeychainError extends Schema.TaggedError()("KeychainError", {
+    command: Schema.String,
+    stderr: Schema.String,
+    message: Schema.String,
+}) {
+}
+export class MetadataStoreError extends Schema.TaggedError()("MetadataStoreError", {
+    operation: Schema.String,
+    message: Schema.String,
+}) {
+}
+export class InvalidKeyError extends Schema.TaggedError()("InvalidKeyError", {
+    key: Schema.String,
+    message: Schema.String,
+}) {
+}

package/dist/implementations/MacOsKeychainAccess.js

@@ -0,0 +1,84 @@
+import { execFile } from "node:child_process";
+import { Effect, Layer } from "effect";
+import { KeychainAccess } from "../services/KeychainAccess.js";
+import { KeychainError, SecretNotFoundError } from "../errors.js";
+const run = (args) => Effect.async((resume) => {
+    execFile("security", args, (error, stdout, stderr) => {
+        if (error && typeof error.code === "string") {
+            resume(Effect.fail(new KeychainError({
+                command: args[0] ?? "unknown",
+                stderr: String(error),
+                message: `Failed to run security command`,
+            })));
+            return;
+        }
+        resume(Effect.succeed({
+            exitCode: error ? error.code ?? 1 : 0,
+            stdout,
+            stderr,
+        }));
+    });
+});
+const make = KeychainAccess.of({
+    set: Effect.fn("MacOsKeychainAccess.set")(function* (service, account, password) {
+        const result = yield* run([
+            "add-generic-password",
+            "-U",
+            "-s",
+            service,
+            "-a",
+            account,
+            "-w",
+            password,
+        ]);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "add-generic-password",
+                stderr: result.stderr,
+                message: `Failed to set keychain item: ${service}/${account}`,
+            });
+        }
+    }),
+    get: Effect.fn("MacOsKeychainAccess.get")(function* (service, account) {
+        const result = yield* run([
+            "find-generic-password",
+            "-s",
+            service,
+            "-a",
+            account,
+            "-w",
+        ]);
+        if (result.exitCode === 44) {
+            return yield* new SecretNotFoundError({
+                key: account,
+                env: service,
+                message: `Secret not found: ${service}/${account}`,
+            });
+        }
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "find-generic-password",
+                stderr: result.stderr,
+                message: `Failed to get keychain item: ${service}/${account}`,
+            });
+        }
+        return result.stdout.trim();
+    }),
+    remove: Effect.fn("MacOsKeychainAccess.remove")(function* (service, account) {
+        const result = yield* run([
+            "delete-generic-password",
+            "-s",
+            service,
+            "-a",
+            account,
+        ]);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "delete-generic-password",
+                stderr: result.stderr,
+                message: `Failed to remove keychain item: ${service}/${account}`,
+            });
+        }
+    }),
+});
+export const MacOsKeychainAccessLive = Layer.succeed(KeychainAccess, make);

package/dist/implementations/SqliteMetadataStore.js

@@ -0,0 +1,103 @@
+import { Effect, Layer } from "effect";
+import Database from "better-sqlite3";
+import { mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { MetadataStore } from "../services/MetadataStore.js";
+import { MetadataStoreError, SecretNotFoundError } from "../errors.js";
+const dbPath = join(homedir(), ".secenv", "store.sqlite");
+const initDb = () => {
+    mkdirSync(join(homedir(), ".secenv"), { recursive: true });
+    const db = new Database(dbPath);
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS secrets (
+      id         INTEGER PRIMARY KEY AUTOINCREMENT,
+      env        TEXT NOT NULL,
+      key        TEXT NOT NULL,
+      type       TEXT NOT NULL CHECK(type IN ('string', 'number', 'boolean')),
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at TEXT NOT NULL DEFAULT (datetime('now')),
+      UNIQUE(env, key)
+    )
+  `);
+    return db;
+};
+const make = Effect.gen(function* () {
+    const db = yield* Effect.try({
+        try: () => initDb(),
+        catch: (error) => new MetadataStoreError({
+            operation: "init",
+            message: `Failed to initialize database: ${error}`,
+        }),
+    });
+    return MetadataStore.of({
+        upsert: Effect.fn("SqliteMetadataStore.upsert")(function* (env, key, type) {
+            yield* Effect.try({
+                try: () => {
+                    db.prepare(`INSERT INTO secrets (env, key, type)
+             VALUES (?, ?, ?)
+             ON CONFLICT(env, key) DO UPDATE SET
+               type = excluded.type,
+               updated_at = datetime('now')`).run(env, key, type);
+                },
+                catch: (error) => new MetadataStoreError({
+                    operation: "upsert",
+                    message: `Failed to upsert metadata for ${env}/${key}: ${error}`,
+                }),
+            });
+        }),
+        get: Effect.fn("SqliteMetadataStore.get")(function* (env, key) {
+            const row = yield* Effect.try({
+                try: () => db
+                    .prepare(`SELECT key, type, created_at, updated_at FROM secrets WHERE env = ? AND key = ?`)
+                    .get(env, key),
+                catch: (error) => new MetadataStoreError({
+                    operation: "get",
+                    message: `Failed to get metadata for ${env}/${key}: ${error}`,
+                }),
+            });
+            if (!row) {
+                return yield* new SecretNotFoundError({
+                    key,
+                    env,
+                    message: `Secret metadata not found: ${env}/${key}`,
+                });
+            }
+            return row;
+        }),
+        remove: Effect.fn("SqliteMetadataStore.remove")(function* (env, key) {
+            yield* Effect.try({
+                try: () => {
+                    db.prepare(`DELETE FROM secrets WHERE env = ? AND key = ?`).run(env, key);
+                },
+                catch: (error) => new MetadataStoreError({
+                    operation: "remove",
+                    message: `Failed to remove metadata for ${env}/${key}: ${error}`,
+                }),
+            });
+        }),
+        search: Effect.fn("SqliteMetadataStore.search")(function* (env, pattern) {
+            return yield* Effect.try({
+                try: () => db
+                    .prepare(`SELECT key, type FROM secrets WHERE env = ? AND key GLOB ?`)
+                    .all(env, pattern),
+                catch: (error) => new MetadataStoreError({
+                    operation: "search",
+                    message: `Failed to search metadata for ${env}/${pattern}: ${error}`,
+                }),
+            });
+        }),
+        list: Effect.fn("SqliteMetadataStore.list")(function* (env) {
+            return yield* Effect.try({
+                try: () => db
+                    .prepare(`SELECT key, type, updated_at FROM secrets WHERE env = ? ORDER BY key`)
+                    .all(env),
+                catch: (error) => new MetadataStoreError({
+                    operation: "list",
+                    message: `Failed to list metadata for ${env}: ${error}`,
+                }),
+            });
+        }),
+    });
+});
+export const SqliteMetadataStoreLive = Layer.effect(MetadataStore, make);

package/dist/main.js

@@ -0,0 +1,19 @@
+#!/usr/bin/env node
+import { Command } from "@effect/cli";
+import { NodeContext, NodeRuntime } from "@effect/platform-node";
+import { Effect } from "effect";
+import { createRequire } from "node:module";
+import { rootCommand } from "./cli/root.js";
+import { addCommand } from "./cli/add.js";
+import { readCommand } from "./cli/read.js";
+import { searchCommand } from "./cli/search.js";
+import { listCommand } from "./cli/list.js";
+import { SecretStore } from "./services/SecretStore.js";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
+const command = rootCommand.pipe(Command.withSubcommands([addCommand, readCommand, searchCommand, listCommand]));
+const cli = Command.run(command, {
+    name: "secenv",
+    version: pkg.version,
+});
+cli(process.argv).pipe(Effect.provide(SecretStore.Default), Effect.provide(NodeContext.layer), NodeRuntime.runMain);

package/dist/services/KeychainAccess.js

@@ -0,0 +1,3 @@
+import { Context } from "effect";
+export class KeychainAccess extends Context.Tag("KeychainAccess")() {
+}

package/dist/services/MetadataStore.js

@@ -0,0 +1,3 @@
+import { Context } from "effect";
+export class MetadataStore extends Context.Tag("MetadataStore")() {
+}

package/dist/services/SecretStore.js

@@ -0,0 +1,45 @@
+import { Effect } from "effect";
+import { KeychainAccess } from "./KeychainAccess.js";
+import { MetadataStore } from "./MetadataStore.js";
+import * as SecretKey from "../domain/SecretKey.js";
+import { MacOsKeychainAccessLive } from "../implementations/MacOsKeychainAccess.js";
+import { SqliteMetadataStoreLive } from "../implementations/SqliteMetadataStore.js";
+export class SecretStore extends Effect.Service()("SecretStore", {
+    accessors: true,
+    dependencies: [MacOsKeychainAccessLive, SqliteMetadataStoreLive],
+    effect: Effect.gen(function* () {
+        const keychain = yield* KeychainAccess;
+        const metadata = yield* MetadataStore;
+        const set = Effect.fn("SecretStore.set")(function* (env, key, value, type) {
+            const parsed = yield* SecretKey.parse(key, env);
+            yield* keychain.set(parsed.service, parsed.account, value);
+            yield* metadata.upsert(env, key, type);
+        });
+        const get = Effect.fn("SecretStore.get")(function* (env, key) {
+            const meta = yield* metadata.get(env, key);
+            const parsed = yield* SecretKey.parse(key, env);
+            const raw = yield* keychain.get(parsed.service, parsed.account);
+            switch (meta.type) {
+                case "number":
+                    return Number(raw);
+                case "boolean":
+                    return raw === "true";
+                default:
+                    return raw;
+            }
+        });
+        const remove = Effect.fn("SecretStore.remove")(function* (env, key) {
+            const parsed = yield* SecretKey.parse(key, env);
+            yield* keychain.remove(parsed.service, parsed.account);
+            yield* metadata.remove(env, key);
+        });
+        const search = Effect.fn("SecretStore.search")(function* (env, pattern) {
+            return yield* metadata.search(env, pattern);
+        });
+        const list = Effect.fn("SecretStore.list")(function* (env) {
+            return yield* metadata.list(env);
+        });
+        return { set, get, remove, search, list };
+    }),
+}) {
+}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "envsec",
+  "version": "0.1.1",
+  "description": "Secure environment secrets management using macOS Keychain",
+  "type": "module",
+  "bin": {
+    "secenv": "./dist/main.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "os": [
+    "darwin"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "secrets",
+    "environment-variables",
+    "keychain",
+    "macos",
+    "effect",
+    "cli"
+  ],
+  "author": "David Nussio",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/davidnussio/secenv.git"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@effect/cli": "^0.73.2",
+    "@effect/platform": "^0.94.5",
+    "@effect/platform-node": "^0.104.1",
+    "better-sqlite3": "^12.8.0",
+    "effect": "^3.19.19"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^22",
+    "typescript": "^5"
+  }
+}