envsec 0.1.4 → 0.1.6

package/README.md

@@ -1,27 +1,54 @@
-# envsec
+# secenv
 
-Secure environment secrets management for macOS using the native Keychain.
+Secure environment secrets management using native OS credential stores.
 
 ## Features
 
-- Store secrets in macOS Keychain (not plain text files)
+- Store secrets in your OS native credential store (not plain text files)
+- Cross-platform: macOS, Linux, Windows
 - Organize secrets by environment (dev, staging, prod, etc.)
 - Track secret types (string, number, boolean) and metadata via SQLite
 - Search secrets with glob patterns
+- Run commands with secret interpolation
+- Export secrets to `.env` files
 
 ## Requirements
 
-- macOS
 - Node.js >= 18
 
+### macOS
+
+No extra dependencies. Uses the built-in Keychain via the `security` CLI tool.
+
+### Linux
+
+Requires `libsecret-tools` (provides the `secret-tool` command), which talks to GNOME Keyring, KDE Wallet, or any Secret Service API provider via D-Bus.
+
+```bash
+# Debian / Ubuntu
+sudo apt install libsecret-tools
+
+# Fedora
+sudo dnf install libsecret
+
+# Arch
+sudo pacman -S libsecret
+```
+
+A running D-Bus session and a keyring daemon (e.g. `gnome-keyring-daemon`) must be active. Most desktop environments handle this automatically.
+
+### Windows
+
+No extra dependencies. Uses the built-in Windows Credential Manager via `cmdkey` and PowerShell.
+
 ## Installation
 
 ```bash
-npm install -g envsec
+npm install -g secenv
 ```
 
 ```bash
-npx envsec
+npx secenv
 ```
 
 ## Usage
@@ -59,6 +86,28 @@ secenv -e dev list
 secenv -e dev search "api.*"
 ```
 
+### Generate a .env file
+
+```bash
+# Creates .env with all secrets from the environment
+secenv -e dev env-file
+
+# Specify a custom output path
+secenv -e dev env-file --output .env.local
+```
+
+Keys are converted to `UPPER_SNAKE_CASE` (e.g. `api.token` → `API_TOKEN`).
+
+### Run a command with secrets
+
+```bash
+# Placeholders {key} are resolved with secret values before execution
+secenv -e dev run 'curl {api.url} -H "Authorization: Bearer {api.token}"'
+
+# Any {dotted.key} in the command string is replaced with its value
+secenv -e prod run 'psql {db.connection_string}'
+```
+
 ### Delete a secret
 
 ```bash
@@ -70,7 +119,15 @@ secenv -e dev del api.key
 
 ## How it works
 
-Secrets are stored in the macOS Keychain using the `security` command-line tool. Metadata (key names, types, timestamps) is kept in a SQLite database at `~/.secenv/store.sqlite`. Keys must contain at least one dot separator (e.g., `service.account`) which maps to the Keychain service/account structure.
+Secrets are stored in the native OS credential store. The backend is selected automatically based on the platform:
+
+| OS      | Backend                        | Tool / API                          |
+|---------|--------------------------------|-------------------------------------|
+| macOS   | Keychain                       | `security` CLI                      |
+| Linux   | Secret Service API (D-Bus)     | `secret-tool` (libsecret)           |
+| Windows | Credential Manager             | `cmdkey` + PowerShell (advapi32)    |
+
+Metadata (key names, types, timestamps) is kept in a SQLite database at `~/.secenv/store.sqlite`. Keys must contain at least one dot separator (e.g., `service.account`) which maps to the credential store's service/account structure.
 
 ## License
 

package/dist/cli/env-file.js

@@ -0,0 +1,22 @@
+import { Command, Options } from "@effect/cli";
+import { Effect } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+import { writeFileSync } from "node:fs";
+const output = Options.text("output").pipe(Options.withAlias("o"), Options.withDescription("Output file path (default: .env)"), Options.withDefault(".env"));
+export const envFileCommand = Command.make("env-file", { output }, ({ output }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    const secrets = yield* SecretStore.list(env);
+    if (secrets.length === 0) {
+        yield* Effect.log(`No secrets found for env "${env}"`);
+        return;
+    }
+    const lines = [];
+    for (const item of secrets) {
+        const value = yield* SecretStore.get(env, item.key);
+        const envKey = item.key.toUpperCase().replaceAll(".", "_");
+        lines.push(`${envKey}=${String(value)}`);
+    }
+    writeFileSync(output, lines.join("\n") + "\n", "utf-8");
+    yield* Effect.log(`Written ${secrets.length} secret(s) to ${output}`);
+}));

package/dist/cli/run.js

@@ -0,0 +1,29 @@
+import { Command, Args } from "@effect/cli";
+import { Effect } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+import { execSync } from "node:child_process";
+const cmd = Args.text({ name: "command" }).pipe(Args.withDescription("Command to execute. Use {key} placeholders for secret interpolation"));
+export const runCommand = Command.make("run", { cmd }, ({ cmd }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    // Find all {key} placeholders
+    const placeholders = [...cmd.matchAll(/\{([^}]+)\}/g)];
+    let resolved = cmd;
+    for (const match of placeholders) {
+        const key = match[1];
+        const value = yield* SecretStore.get(env, key);
+        resolved = resolved.replaceAll(`{${key}}`, String(value));
+    }
+    if (placeholders.length > 0) {
+        yield* Effect.log(`Resolved ${placeholders.length} secret(s)`);
+    }
+    try {
+        execSync(resolved, {
+            stdio: "inherit",
+            shell: process.platform === "win32" ? "cmd.exe" : "/bin/sh",
+        });
+    }
+    catch (e) {
+        yield* Effect.fail(new Error(`Command exited with code ${e.status ?? 1}`));
+    }
+}));

package/dist/implementations/LinuxSecretServiceAccess.js

@@ -0,0 +1,96 @@
+import { execFile } from "node:child_process";
+import { Effect, Layer } from "effect";
+import { KeychainAccess } from "../services/KeychainAccess.js";
+import { KeychainError, SecretNotFoundError } from "../errors.js";
+/**
+ * Linux implementation using `secret-tool` (libsecret).
+ *
+ * Stores secrets via the freedesktop.org Secret Service API (D-Bus),
+ * backed by GNOME Keyring, KDE Wallet, or any compatible provider.
+ *
+ * Requires: `libsecret-tools` package
+ *   - Debian/Ubuntu: sudo apt install libsecret-tools
+ *   - Fedora:        sudo dnf install libsecret
+ *   - Arch:          sudo pacman -S libsecret
+ */
+const run = (args, stdin) => Effect.async((resume) => {
+    const child = execFile("secret-tool", args, (error, stdout, stderr) => {
+        if (error && error.code === "ENOENT") {
+            resume(Effect.fail(new KeychainError({
+                command: args[0] ?? "unknown",
+                stderr: "secret-tool not found. Install libsecret-tools.",
+                message: "secret-tool is not installed. Install it with your package manager (e.g. apt install libsecret-tools).",
+            })));
+            return;
+        }
+        resume(Effect.succeed({
+            exitCode: error ? error.code ?? 1 : 0,
+            stdout,
+            stderr,
+        }));
+    });
+    // secret-tool store reads the password from stdin
+    if (stdin !== undefined) {
+        child.stdin?.write(stdin);
+        child.stdin?.end();
+    }
+});
+const make = KeychainAccess.of({
+    set: Effect.fn("LinuxSecretServiceAccess.set")(function* (service, account, password) {
+        // secret-tool store --label="<label>" <attribute> <value> ...
+        // Password is read from stdin
+        const result = yield* run([
+            "store",
+            "--label",
+            `secenv:${service}/${account}`,
+            "service",
+            service,
+            "account",
+            account,
+        ], password);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "store",
+                stderr: result.stderr,
+                message: `Failed to store secret: ${service}/${account}`,
+            });
+        }
+    }),
+    get: Effect.fn("LinuxSecretServiceAccess.get")(function* (service, account) {
+        // secret-tool lookup <attribute> <value> ...
+        const result = yield* run([
+            "lookup",
+            "service",
+            service,
+            "account",
+            account,
+        ]);
+        // secret-tool returns exit 0 with empty stdout when not found
+        if (result.exitCode !== 0 || result.stdout === "") {
+            return yield* new SecretNotFoundError({
+                key: account,
+                env: service,
+                message: `Secret not found: ${service}/${account}`,
+            });
+        }
+        return result.stdout.trimEnd();
+    }),
+    remove: Effect.fn("LinuxSecretServiceAccess.remove")(function* (service, account) {
+        // secret-tool clear <attribute> <value> ...
+        const result = yield* run([
+            "clear",
+            "service",
+            service,
+            "account",
+            account,
+        ]);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "clear",
+                stderr: result.stderr,
+                message: `Failed to remove secret: ${service}/${account}`,
+            });
+        }
+    }),
+});
+export const LinuxSecretServiceAccessLive = Layer.succeed(KeychainAccess, make);

package/dist/implementations/PlatformKeychainAccess.js

@@ -0,0 +1,23 @@
+import { platform } from "node:os";
+import { MacOsKeychainAccessLive } from "./MacOsKeychainAccess.js";
+import { LinuxSecretServiceAccessLive } from "./LinuxSecretServiceAccess.js";
+import { WindowsCredentialManagerAccessLive } from "./WindowsCredentialManagerAccess.js";
+/**
+ * Auto-detects the current OS and provides the appropriate KeychainAccess layer.
+ *
+ * - macOS:   uses `security` CLI (Keychain)
+ * - Linux:   uses `secret-tool` (libsecret / Secret Service API)
+ * - Windows: uses PowerShell + Credential Manager (advapi32 CredRead/cmdkey)
+ */
+export const PlatformKeychainAccessLive = (() => {
+    switch (platform()) {
+        case "darwin":
+            return MacOsKeychainAccessLive;
+        case "linux":
+            return LinuxSecretServiceAccessLive;
+        case "win32":
+            return WindowsCredentialManagerAccessLive;
+        default:
+            throw new Error(`Unsupported platform: ${platform()}. Supported: macOS, Linux, Windows.`);
+    }
+})();

package/dist/implementations/WindowsCredentialManagerAccess.js

@@ -0,0 +1,118 @@
+import { execFile } from "node:child_process";
+import { Effect, Layer } from "effect";
+import { KeychainAccess } from "../services/KeychainAccess.js";
+import { KeychainError, SecretNotFoundError } from "../errors.js";
+/**
+ * Windows implementation using PowerShell + Windows Credential Manager.
+ *
+ * Uses the built-in `cmdkey` for basic operations and PowerShell's
+ * `System.Net.NetworkCredential` / `CredentialManager` for read/write.
+ *
+ * No extra dependencies required — uses only built-in Windows APIs via PowerShell.
+ *
+ * Credential target format: "secenv:<service>/<account>"
+ */
+const runPowerShell = (script) => Effect.async((resume) => {
+    execFile("powershell.exe", [
+        "-NoProfile",
+        "-NonInteractive",
+        "-Command",
+        script,
+    ], (error, stdout, stderr) => {
+        if (error && error.code === "ENOENT") {
+            resume(Effect.fail(new KeychainError({
+                command: "powershell",
+                stderr: "powershell.exe not found",
+                message: "PowerShell is not available. Ensure you are running on Windows.",
+            })));
+            return;
+        }
+        resume(Effect.succeed({
+            exitCode: error ? error.code ?? 1 : 0,
+            stdout,
+            stderr,
+        }));
+    });
+});
+const escapePS = (s) => s.replaceAll("'", "''");
+const targetName = (service, account) => `secenv:${service}/${account}`;
+const make = KeychainAccess.of({
+    set: Effect.fn("WindowsCredentialManagerAccess.set")(function* (service, account, password) {
+        const target = escapePS(targetName(service, account));
+        const user = escapePS(account);
+        const pass = escapePS(password);
+        // Use cmdkey for simplicity — it's built-in and handles generic credentials
+        const script = `cmdkey /generic:'${target}' /user:'${user}' /pass:'${pass}'`;
+        const result = yield* runPowerShell(script);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "cmdkey /add",
+                stderr: result.stderr || result.stdout,
+                message: `Failed to store credential: ${service}/${account}`,
+            });
+        }
+    }),
+    get: Effect.fn("WindowsCredentialManagerAccess.get")(function* (service, account) {
+        const target = escapePS(targetName(service, account));
+        // Read credential using .NET CredentialManager API via PowerShell
+        // This is the only reliable way to read the password back from Credential Manager
+        const script = [
+            `Add-Type -AssemblyName System.Runtime.InteropServices`,
+            `$cred = [System.Runtime.InteropServices.Marshal]`,
+            `$target = '${target}'`,
+            // Use P/Invoke to call CredReadW
+            `Add-Type @'`,
+            `using System;`,
+            `using System.Runtime.InteropServices;`,
+            `public class CredManager {`,
+            `  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]`,
+            `  public static extern bool CredRead(string target, int type, int flags, out IntPtr cred);`,
+            `  [DllImport("advapi32.dll")]`,
+            `  public static extern void CredFree(IntPtr cred);`,
+            `  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]`,
+            `  public struct CREDENTIAL {`,
+            `    public int Flags; public int Type;`,
+            `    public string TargetName; public string Comment;`,
+            `    public long LastWritten; public int CredentialBlobSize;`,
+            `    public IntPtr CredentialBlob; public int Persist;`,
+            `    public int AttributeCount; public IntPtr Attributes;`,
+            `    public string TargetAlias; public string UserName;`,
+            `  }`,
+            `  public static string Read(string target) {`,
+            `    IntPtr ptr;`,
+            `    if (!CredRead(target, 1, 0, out ptr)) return null;`,
+            `    var c = (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL));`,
+            `    var pw = Marshal.PtrToStringUni(c.CredentialBlob, c.CredentialBlobSize / 2);`,
+            `    CredFree(ptr);`,
+            `    return pw;`,
+            `  }`,
+            `}`,
+            `'@`,
+            `$result = [CredManager]::Read('${target}')`,
+            `if ($result -eq $null) { exit 1 }`,
+            `Write-Output $result`,
+        ].join("\n");
+        const result = yield* runPowerShell(script);
+        if (result.exitCode !== 0) {
+            return yield* new SecretNotFoundError({
+                key: account,
+                env: service,
+                message: `Secret not found: ${service}/${account}`,
+            });
+        }
+        return result.stdout.trim();
+    }),
+    remove: Effect.fn("WindowsCredentialManagerAccess.remove")(function* (service, account) {
+        const target = escapePS(targetName(service, account));
+        const script = `cmdkey /delete:'${target}'`;
+        const result = yield* runPowerShell(script);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "cmdkey /delete",
+                stderr: result.stderr || result.stdout,
+                message: `Failed to remove credential: ${service}/${account}`,
+            });
+        }
+    }),
+});
+export const WindowsCredentialManagerAccessLive = Layer.succeed(KeychainAccess, make);

package/dist/main.js

@@ -9,10 +9,12 @@ import { getCommand } from "./cli/read.js";
 import { deleteCommand, delCommand } from "./cli/delete.js";
 import { searchCommand } from "./cli/search.js";
 import { listCommand } from "./cli/list.js";
+import { runCommand } from "./cli/run.js";
+import { envFileCommand } from "./cli/env-file.js";
 import { SecretStore } from "./services/SecretStore.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
-const command = rootCommand.pipe(Command.withSubcommands([addCommand, getCommand, deleteCommand, delCommand, searchCommand, listCommand]));
+const command = rootCommand.pipe(Command.withSubcommands([addCommand, getCommand, deleteCommand, delCommand, searchCommand, listCommand, runCommand, envFileCommand]));
 const cli = Command.run(command, {
     name: "secenv",
     version: pkg.version,

package/dist/services/SecretStore.js

@@ -2,11 +2,11 @@ import { Effect } from "effect";
 import { KeychainAccess } from "./KeychainAccess.js";
 import { MetadataStore } from "./MetadataStore.js";
 import * as SecretKey from "../domain/SecretKey.js";
-import { MacOsKeychainAccessLive } from "../implementations/MacOsKeychainAccess.js";
+import { PlatformKeychainAccessLive } from "../implementations/PlatformKeychainAccess.js";
 import { SqliteMetadataStoreLive } from "../implementations/SqliteMetadataStore.js";
 export class SecretStore extends Effect.Service()("SecretStore", {
     accessors: true,
-    dependencies: [MacOsKeychainAccessLive, SqliteMetadataStoreLive],
+    dependencies: [PlatformKeychainAccessLive, SqliteMetadataStoreLive],
     effect: Effect.gen(function* () {
         const keychain = yield* KeychainAccess;
         const metadata = yield* MetadataStore;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "envsec",
-  "version": "0.1.4",
-  "description": "Secure environment secrets management using macOS Keychain",
+  "version": "0.1.6",
+  "description": "Secure environment secrets management using native OS credential stores",
   "type": "module",
   "bin": {
     "secenv": "./dist/main.js"
@@ -12,9 +12,6 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "os": [
-    "darwin"
-  ],
   "scripts": {
     "build": "tsc",
     "prepublishOnly": "npm run build"
@@ -23,7 +20,12 @@
     "secrets",
     "environment-variables",
     "keychain",
+    "credential-manager",
+    "libsecret",
+    "cross-platform",
     "macos",
+    "linux",
+    "windows",
     "effect",
     "cli"
   ],