npm - envspot - Versions diffs - 0.1.0 → 0.1.2 - Mend

envspot 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -1,26 +1,87 @@
-# EnvSpot CLI (`envspot`)
+# envspot
-Minimal reference for the **`login` · `link` · `run`** surface. Full command reference: **[`../docs/cli-reference.md`](../docs/cli-reference.md)**. Historical SD-02 sequence + rationale: **[`../docs/historical/SD-02-cli-sequence.md`](../docs/historical/SD-02-cli-sequence.md)**.
+Encrypted environment variables for your team, managed from the command line.
-## Trust model (matches SD-01 §8 / SD-02 §7)
+`envspot` is the command-line client for [EnvSpot](https://envspot.com). Link a
+directory to a project, pull your secrets straight into a process, and keep
+`.env` files off disk and out of git.
-- **Plaintext secrets** — only in process memory during `run`, after **`GET /api/cli/decrypt`** over TLS. Nothing is written to disk as a secret bundle.
-- **No DEK / no master key on the client** — unwrap and decrypt happen server-side.
-- **`.envspot.json`** — project id + environment label only; safe to commit unless you treat the project id as sensitive.
-- **Token** — stored with **keytar** (OS keychain); on **401** / `token_invalid`, `run` clears the stored credential and exits **4** so you re-`login`.
+This package is the CLI. EnvSpot is also a hosted platform — a web dashboard for
+projects, environments, team access, audit history, and syncing secrets to your
+deploy targets — at [envspot.com](https://envspot.com).
-## User-Agent
+## Install
-All requests send **`User-Agent: envspot-cli/<semver>`** (`cli/src/config.ts`) for server-side audits (SD-01 §5.2).
+```bash
+npm install -g envspot
+```
+Or run it without installing:
-## Resolved product choices
+```bash
+npx envspot <command>
+```
-Exit codes, retries, **403** tier responses, and operational note on auth-tag / decrypt failures: **[`../docs/historical/sd-open-questions-resolved.md`](../docs/historical/sd-open-questions-resolved.md)**.
+Requires Node.js 18 or newer.
-## Build
+## Quick start
 ```bash
-cd cli && npm ci && npm run build
+envspot init                # create + link a project, import your .env, start your dev server
+envspot login               # sign in via browser device pairing
+envspot link                # link this directory to a project + environment
+envspot run -- npm start    # run a command with your secrets injected as env vars
 ```
-Bin: **`envspot`** → **`./dist/index.js`**.
+## Commands
+| Command           | What it does                                                                            |
+| ----------------- | --------------------------------------------------------------------------------------- |
+| `init`            | Create a project from this directory, link it, import `.env`, and start your dev server |
+| `login`           | Sign in via browser device pairing, or store an API key for token login                 |
+| `logout`          | Remove the stored credential                                                            |
+| `link`            | Write `./.envspot.json` (project id + environment)                                      |
+| `run -- <cmd>`    | Run a command with the linked project's secrets injected as environment variables       |
+| `dump`            | Print the linked project's secrets as `KEY=value` to stdout (nothing written to disk)   |
+| `set <key> <val>` | Set one secret for the linked project                                                   |
+| `unset <key>`     | Delete one secret                                                                       |
+| `status`          | Show the API/app URL and your credential + link state                                   |
+| `whoami`          | Show the signed-in user, workspace, and active link or token scope                      |
+| `fly deploy`      | Stage the linked project's secrets to Fly.io and deploy                                 |
+Run `envspot help` or `envspot <command> --help` for full options.
+## Integrations
+EnvSpot syncs your secrets to your deployment targets so you set a value once and
+it lands everywhere. Supported targets: **GitHub Actions, Vercel, Render, Railway,
+and Fly.io** — connected and managed in the [dashboard](https://envspot.com).
+`fly deploy` is the one target you can push to directly from the CLI; the rest
+sync automatically once connected in the dashboard.
+## Configuration
+| Variable        | Purpose                                                      |
+| --------------- | ------------------------------------------------------------ |
+| `ENVSPOT_TOKEN` | API key for non-interactive / CI use (skips the OS keychain) |
+## How your secrets are handled
+- **Decryption happens server-side.** No master key or data-encryption key ever
+  lives on your machine.
+- **Plaintext secrets stay in memory.** `run` holds them only for the lifetime of
+  the child process; nothing is written to disk as a secret bundle.
+- **Your credential lives in the OS keychain**, not a plaintext file. On an expired
+  or revoked token, the CLI clears it and asks you to sign in again.
+- **`.envspot.json` is safe to commit** — it holds only the project id and
+  environment label, never secrets.
+## Links
+- Website: https://envspot.com
+- Questions or bug reports: contact@envspot.com
+## License
+MIT

package/dist/config.js CHANGED Viewed

@@ -2,6 +2,9 @@ import { readFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 const __dirname = dirname(fileURLToPath(import.meta.url));
+// Brand display name for CLI prose. The binary/package/config-file name stays
+// lowercase `envspot`; this is only the human-facing company name.
+export const BRAND_NAME = "envSpot";
 export function packageVersion() {
     const pjPath = join(__dirname, "..", "package.json");
     const pj = JSON.parse(readFileSync(pjPath, "utf8"));
@@ -19,7 +22,9 @@ export function apiBase() {
         return process.env.ENVV_API_URL.trim();
     if (process.env.NODE_ENV === "development")
         return "http://localhost:3000";
-    return "https://api.envspot.com";
+    // API routes live under /api on the main app origin (single Next.js app);
+    // there is no api.* subdomain. Keep in sync with appOrigin() below.
+    return "https://envspot.com";
 }
 /** Browser/dashboard origin for CLI login approval (dashboard lives here, not on API origin). */
 export function appOrigin() {
@@ -35,7 +40,8 @@ export function appOrigin() {
     return "https://envspot.com";
 }
 export function statusPageHint() {
-    return process.env.ENVSPOT_STATUS_URL?.trim() || "https://status.envspot.com";
+    // No public status page yet; surface a link only if one is configured.
+    return process.env.ENVSPOT_STATUS_URL?.trim() || "";
 }
 export function upgradePageHint(jsonUpgradeUrl) {
     const u = typeof jsonUpgradeUrl === "string" && jsonUpgradeUrl.trim().length > 0

package/dist/fly-deploy.js CHANGED Viewed

@@ -7,6 +7,7 @@ import { authRequired, flyctlNotInstalled, flyTomlNotFound } from "./errors.js";
 import * as out from "./output.js";
 import { fetchProjectSecrets, resolveLinkScope } from "./secrets.js";
 import { isHeadlessToken } from "./token-kind.js";
+import { BRAND_NAME } from "./config.js";
 /**
  * Parse the tail of `envspot fly deploy …`. `--app`/`--no-secrets` are ours;
  * every other token forwards verbatim to `flyctl deploy`. `--app` is also
@@ -124,7 +125,7 @@ export async function executeFlyDeploy(parsed, deps = {}) {
             ? await fetchProjectSecrets(token)
             : await fetchProjectSecrets(token, resolveLinkScope());
         const keys = Object.keys(secrets).sort();
-        out.step(`Fetched ${keys.length} secret${keys.length === 1 ? "" : "s"} from EnvSpot`);
+        out.step(`Fetched ${keys.length} secret${keys.length === 1 ? "" : "s"} from ${BRAND_NAME}`);
         if (keys.length === 0) {
             // Likely a wrong env/scope rather than a genuinely empty project — make
             // the silent "deployed with no secrets" footgun visible.

package/dist/http.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { apiBase, cliUserAgent, statusPageHint } from "./config.js";
+import { apiBase, BRAND_NAME, cliUserAgent, statusPageHint } from "./config.js";
 import { CliError, ERR } from "./errors.js";
 export function apiUrl(path) {
     const base = apiBase().replace(/\/$/, "");
@@ -29,8 +29,9 @@ export function describeTransportFailure(err) {
     const msg = err instanceof Error
         ? `${err.message}${err.cause instanceof Error ? ` (${err.cause.message})` : ""}`
         : String(err);
-    return (`Couldn't reach EnvSpot. Check your connection.\n` +
-        `${statusPageHint()}\n` +
+    const status = statusPageHint();
+    return (`Couldn't reach ${BRAND_NAME}. Check your connection.\n` +
+        (status ? `${status}\n` : "") +
         `  Detail: ${msg}`);
 }
 /** 3× backoff for transport faults (plus first attempt ⇒ 4 tries). */

package/dist/whoami.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { CliError, ERR, notLoggedIn } from "./errors.js";
 import { apiUrl, backoffTransport, fetchWithCliHeaders, parseJsonSafely, rethrowTransport, } from "./http.js";
 import { findEnvspotLink } from "./paths.js";
 import { isHeadlessToken } from "./token-kind.js";
+import { BRAND_NAME } from "./config.js";
 /** Bearer signing tolerates this much clock skew; past it, auth gets flaky. */
 const CLOCK_SKEW_TOLERANCE_MS = 5 * 60 * 1000;
 /** Mask a stored token for display: kind prefix + a few chars, rest hidden.
@@ -29,7 +30,7 @@ export function clockSkewWarning(serverDateHeader, nowMs) {
     return (`warning[E0074]: System clock differs from envspot.com by ${minutes}m ` +
         `(local: ${new Date(nowMs).toISOString()}, server: ${new Date(serverMs).toISOString()}).\n` +
         `  help: Bearer signing tolerates 5 minutes of skew; past that, expect intermittent auth failures. Ensure NTP is running.\n` +
-        `  docs: https://docs.envspot.com/errors/E0074`);
+        `  docs: https://envspot.com/docs/errors/E0074`);
 }
 function titleCaseTier(tier) {
     return tier.length ? tier[0].toUpperCase() + tier.slice(1) : tier;
@@ -74,7 +75,7 @@ export async function executeWhoami(opts, nowMs = Date.now()) {
     // otherwise null-deref in formatWhoami or print "null" under --json.
     const data = analyzed.json;
     if (!data || typeof data.user !== "object" || data.user === null) {
-        throw new CliError(ERR.UNEXPECTED, "Malformed response from envspot (expected whoami JSON).");
+        throw new CliError(ERR.UNEXPECTED, `Malformed response from ${BRAND_NAME} (expected whoami JSON).`);
     }
     // Emit the skew warning before the --json early return: CI uses --json, and
     // that is exactly where clock skew silently breaks bearer auth. It goes to

package/package.json CHANGED Viewed

@@ -1,9 +1,9 @@
 {
   "name": "envspot",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "CLI for envspot — encrypted environment variables for your team",
   "license": "MIT",
-  "author": "EnvSpot",
+  "author": "envSpot",
   "homepage": "https://envspot.com",
   "repository": {
     "type": "git",
@@ -11,7 +11,7 @@
     "directory": "cli"
   },
   "bugs": {
-    "url": "https://github.com/EnvSpot/envspot/issues"
+    "email": "contact@envspot.com"
   },
   "keywords": [
     "envspot",