envsec 0.1.2 → 0.1.5

package/README.md

@@ -1,15 +1,101 @@
 # secenv
 
-To install dependencies:
+Secure environment secrets management for macOS using the native Keychain.
+
+## Features
+
+- Store secrets in macOS Keychain (not plain text files)
+- Organize secrets by environment (dev, staging, prod, etc.)
+- Track secret types (string, number, boolean) and metadata via SQLite
+- Search secrets with glob patterns
+- Run commands with secret interpolation
+- Export secrets to `.env` files
+
+## Requirements
+
+- macOS
+- Node.js >= 18
+
+## Installation
+
+```bash
+npm install -g secenv
+```
+
+```bash
+npx secenv
+```
+
+## Usage
+
+All commands require an environment specified with `--env` (or `-e`):
+
+### Add a secret
 
 ```bash
-bun install
+# Store a string
+secenv -e dev add api.key --word "sk-abc123"
+
+# Store a number
+secenv -e dev add server.port --digit 3000
+
+# Store a boolean
+secenv -e dev add feature.enabled --bool
 ```
 
-To run:
+### Get a secret
 
 ```bash
-bun run index.ts
+secenv -e dev get api.key
 ```
 
-This project was created using `bun init` in bun v1.3.10. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.
+### List all secrets
+
+```bash
+secenv -e dev list
+```
+
+### Search secrets
+
+```bash
+secenv -e dev search "api.*"
+```
+
+### Generate a .env file
+
+```bash
+# Creates .env with all secrets from the environment
+secenv -e dev env-file
+
+# Specify a custom output path
+secenv -e dev env-file --output .env.local
+```
+
+Keys are converted to `UPPER_SNAKE_CASE` (e.g. `api.token` → `API_TOKEN`).
+
+### Run a command with secrets
+
+```bash
+# Placeholders {key} are resolved with secret values before execution
+secenv -e dev run 'curl {api.url} -H "Authorization: Bearer {api.token}"'
+
+# Any {dotted.key} in the command string is replaced with its value
+secenv -e prod run 'psql {db.connection_string}'
+```
+
+### Delete a secret
+
+```bash
+secenv -e dev delete api.key
+
+# or use the alias
+secenv -e dev del api.key
+```
+
+## How it works
+
+Secrets are stored in the macOS Keychain using the `security` command-line tool. Metadata (key names, types, timestamps) is kept in a SQLite database at `~/.secenv/store.sqlite`. Keys must contain at least one dot separator (e.g., `service.account`) which maps to the Keychain service/account structure.
+
+## License
+
+MIT

package/dist/cli/env-file.js

@@ -0,0 +1,22 @@
+import { Command, Options } from "@effect/cli";
+import { Effect } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+import { writeFileSync } from "node:fs";
+const output = Options.text("output").pipe(Options.withAlias("o"), Options.withDescription("Output file path (default: .env)"), Options.withDefault(".env"));
+export const envFileCommand = Command.make("env-file", { output }, ({ output }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    const secrets = yield* SecretStore.list(env);
+    if (secrets.length === 0) {
+        yield* Effect.log(`No secrets found for env "${env}"`);
+        return;
+    }
+    const lines = [];
+    for (const item of secrets) {
+        const value = yield* SecretStore.get(env, item.key);
+        const envKey = item.key.toUpperCase().replaceAll(".", "_");
+        lines.push(`${envKey}=${String(value)}`);
+    }
+    writeFileSync(output, lines.join("\n") + "\n", "utf-8");
+    yield* Effect.log(`Written ${secrets.length} secret(s) to ${output}`);
+}));

package/dist/cli/run.js

@@ -0,0 +1,26 @@
+import { Command, Args } from "@effect/cli";
+import { Effect } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+import { execSync } from "node:child_process";
+const cmd = Args.text({ name: "command" }).pipe(Args.withDescription("Command to execute. Use {key} placeholders for secret interpolation"));
+export const runCommand = Command.make("run", { cmd }, ({ cmd }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    // Find all {key} placeholders
+    const placeholders = [...cmd.matchAll(/\{([^}]+)\}/g)];
+    let resolved = cmd;
+    for (const match of placeholders) {
+        const key = match[1];
+        const value = yield* SecretStore.get(env, key);
+        resolved = resolved.replaceAll(`{${key}}`, String(value));
+    }
+    if (placeholders.length > 0) {
+        yield* Effect.log(`Resolved ${placeholders.length} secret(s)`);
+    }
+    try {
+        execSync(resolved, { stdio: "inherit", shell: "/bin/bash" });
+    }
+    catch (e) {
+        yield* Effect.fail(new Error(`Command exited with code ${e.status ?? 1}`));
+    }
+}));

package/dist/implementations/SqliteMetadataStore.js

@@ -1,15 +1,19 @@
 import { Effect, Layer } from "effect";
-import Database from "better-sqlite3";
-import { mkdirSync } from "node:fs";
+import initSqlJs from "sql.js";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { MetadataStore } from "../services/MetadataStore.js";
 import { MetadataStoreError, SecretNotFoundError } from "../errors.js";
-const dbPath = join(homedir(), ".secenv", "store.sqlite");
-const initDb = () => {
-    mkdirSync(join(homedir(), ".secenv"), { recursive: true });
-    const db = new Database(dbPath);
-    db.exec(`
+const dbDir = join(homedir(), ".secenv");
+const dbPath = join(dbDir, "store.sqlite");
+const initDb = async () => {
+    mkdirSync(dbDir, { recursive: true });
+    const SQL = await initSqlJs();
+    const db = existsSync(dbPath)
+        ? new SQL.Database(readFileSync(dbPath))
+        : new SQL.Database();
+    db.run(`
     CREATE TABLE IF NOT EXISTS secrets (
       id         INTEGER PRIMARY KEY AUTOINCREMENT,
       env        TEXT NOT NULL,
@@ -20,10 +24,14 @@ const initDb = () => {
       UNIQUE(env, key)
     )
   `);
+    persist(db);
     return db;
 };
+const persist = (db) => {
+    writeFileSync(dbPath, Buffer.from(db.export()));
+};
 const make = Effect.gen(function* () {
-    const db = yield* Effect.try({
+    const db = yield* Effect.tryPromise({
         try: () => initDb(),
         catch: (error) => new MetadataStoreError({
             operation: "init",
@@ -34,11 +42,12 @@ const make = Effect.gen(function* () {
         upsert: Effect.fn("SqliteMetadataStore.upsert")(function* (env, key, type) {
             yield* Effect.try({
                 try: () => {
-                    db.prepare(`INSERT INTO secrets (env, key, type)
+                    db.run(`INSERT INTO secrets (env, key, type)
              VALUES (?, ?, ?)
              ON CONFLICT(env, key) DO UPDATE SET
                type = excluded.type,
-               updated_at = datetime('now')`).run(env, key, type);
+               updated_at = datetime('now')`, [env, key, type]);
+                    persist(db);
                 },
                 catch: (error) => new MetadataStoreError({
                     operation: "upsert",
@@ -48,9 +57,17 @@ const make = Effect.gen(function* () {
         }),
         get: Effect.fn("SqliteMetadataStore.get")(function* (env, key) {
             const row = yield* Effect.try({
-                try: () => db
-                    .prepare(`SELECT key, type, created_at, updated_at FROM secrets WHERE env = ? AND key = ?`)
-                    .get(env, key),
+                try: () => {
+                    const stmt = db.prepare(`SELECT key, type, created_at, updated_at FROM secrets WHERE env = ? AND key = ?`);
+                    stmt.bind([env, key]);
+                    if (!stmt.step()) {
+                        stmt.free();
+                        return null;
+                    }
+                    const result = stmt.getAsObject();
+                    stmt.free();
+                    return result;
+                },
                 catch: (error) => new MetadataStoreError({
                     operation: "get",
                     message: `Failed to get metadata for ${env}/${key}: ${error}`,
@@ -68,7 +85,8 @@ const make = Effect.gen(function* () {
         remove: Effect.fn("SqliteMetadataStore.remove")(function* (env, key) {
             yield* Effect.try({
                 try: () => {
-                    db.prepare(`DELETE FROM secrets WHERE env = ? AND key = ?`).run(env, key);
+                    db.run(`DELETE FROM secrets WHERE env = ? AND key = ?`, [env, key]);
+                    persist(db);
                 },
                 catch: (error) => new MetadataStoreError({
                     operation: "remove",
@@ -78,9 +96,16 @@ const make = Effect.gen(function* () {
         }),
         search: Effect.fn("SqliteMetadataStore.search")(function* (env, pattern) {
             return yield* Effect.try({
-                try: () => db
-                    .prepare(`SELECT key, type FROM secrets WHERE env = ? AND key GLOB ?`)
-                    .all(env, pattern),
+                try: () => {
+                    const results = [];
+                    const stmt = db.prepare(`SELECT key, type FROM secrets WHERE env = ? AND key GLOB ?`);
+                    stmt.bind([env, pattern]);
+                    while (stmt.step()) {
+                        results.push(stmt.getAsObject());
+                    }
+                    stmt.free();
+                    return results;
+                },
                 catch: (error) => new MetadataStoreError({
                     operation: "search",
                     message: `Failed to search metadata for ${env}/${pattern}: ${error}`,
@@ -89,9 +114,16 @@ const make = Effect.gen(function* () {
         }),
         list: Effect.fn("SqliteMetadataStore.list")(function* (env) {
             return yield* Effect.try({
-                try: () => db
-                    .prepare(`SELECT key, type, updated_at FROM secrets WHERE env = ? ORDER BY key`)
-                    .all(env),
+                try: () => {
+                    const results = [];
+                    const stmt = db.prepare(`SELECT key, type, updated_at FROM secrets WHERE env = ? ORDER BY key`);
+                    stmt.bind([env]);
+                    while (stmt.step()) {
+                        results.push(stmt.getAsObject());
+                    }
+                    stmt.free();
+                    return results;
+                },
                 catch: (error) => new MetadataStoreError({
                     operation: "list",
                     message: `Failed to list metadata for ${env}: ${error}`,

package/dist/main.js

@@ -9,10 +9,12 @@ import { getCommand } from "./cli/read.js";
 import { deleteCommand, delCommand } from "./cli/delete.js";
 import { searchCommand } from "./cli/search.js";
 import { listCommand } from "./cli/list.js";
+import { runCommand } from "./cli/run.js";
+import { envFileCommand } from "./cli/env-file.js";
 import { SecretStore } from "./services/SecretStore.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
-const command = rootCommand.pipe(Command.withSubcommands([addCommand, getCommand, deleteCommand, delCommand, searchCommand, listCommand]));
+const command = rootCommand.pipe(Command.withSubcommands([addCommand, getCommand, deleteCommand, delCommand, searchCommand, listCommand, runCommand, envFileCommand]));
 const cli = Command.run(command, {
     name: "secenv",
     version: pkg.version,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envsec",
-  "version": "0.1.2",
+  "version": "0.1.5",
   "description": "Secure environment secrets management using macOS Keychain",
   "type": "module",
   "bin": {
@@ -40,12 +40,12 @@
     "@effect/cli": "^0.73.2",
     "@effect/platform": "^0.94.5",
     "@effect/platform-node": "^0.104.1",
-    "better-sqlite3": "^12.8.0",
-    "effect": "^3.19.19"
+    "effect": "^3.19.19",
+    "sql.js": "^1.14.1"
   },
   "devDependencies": {
-    "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^22",
+    "@types/sql.js": "^1.4.9",
     "typescript": "^5"
   }
 }