keyra-cli 0.1.0

package/cli/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "keyra",
+  "version": "0.1.0",
+  "description": "Encrypted .env vault. Sync, share, and never lose an API key.",
+  "bin": {
+    "keyra": "./dist/index.js"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --target node18 --clean --shims",
+    "dev": "tsup src/index.ts --format esm --target node18 --watch --shims"
+  },
+  "keywords": [
+    "env",
+    "dotenv",
+    "secrets",
+    "vault",
+    "cli",
+    "encryption"
+  ],
+  "license": "MIT",
+  "type": "module",
+  "dependencies": {
+    "boxen": "^8.0.1",
+    "chalk": "^5.6.2",
+    "commander": "^14.0.3",
+    "inquirer": "^13.2.5",
+    "open": "^11.0.0",
+    "ora": "^9.3.0"
+  },
+  "devDependencies": {
+    "@types/inquirer": "^9.0.9",
+    "@types/node": "^25.2.3",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}

package/cli/src/commands/guard.ts

@@ -0,0 +1,89 @@
+import { Command } from 'commander';
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { success, error, warning, printBox } from '../lib/ui.js';
+
+const HOOK_MARKER = '# keyra-guard';
+const PRE_COMMIT_HOOK = `#!/bin/sh
+${HOOK_MARKER}
+# Keyra Git Guardian — blocks accidental .env commits
+# https://keyra.dev
+
+staged=$(git diff --cached --name-only 2>/dev/null)
+
+for file in $staged; do
+  if echo "$file" | grep -qE '(^|\\.)\\.env(\\..*)?$'; then
+    echo ""
+    echo "  \\033[0;31m✗ Keyra Git Guardian blocked your commit\\033[0m"
+    echo "  \\033[0;33m⚠ Detected .env file in staged changes: $file\\033[0m"
+    echo ""
+    echo "  Commit secrets to your Keyra vault instead:"
+    echo "    keyra push"
+    echo ""
+    exit 1
+  fi
+done
+`;
+
+export const guardCommand = new Command('guard')
+  .description('Install a pre-commit hook to block accidental .env commits')
+  .action(async () => {
+    // Find .git directory
+    let gitDir: string | null = null;
+    let dir = process.cwd();
+    for (let i = 0; i < 10; i++) {
+      const candidate = path.join(dir, '.git');
+      if (fs.existsSync(candidate) && fs.statSync(candidate).isDirectory()) {
+        gitDir = candidate;
+        break;
+      }
+      const parent = path.dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+
+    if (!gitDir) {
+      error('Not inside a git repository.');
+      process.exit(1);
+    }
+
+    const hooksDir = path.join(gitDir, 'hooks');
+    if (!fs.existsSync(hooksDir)) {
+      fs.mkdirSync(hooksDir, { recursive: true });
+    }
+
+    const hookPath = path.join(hooksDir, 'pre-commit');
+
+    // Check if already installed
+    if (fs.existsSync(hookPath)) {
+      const existing = fs.readFileSync(hookPath, 'utf-8');
+      if (existing.includes(HOOK_MARKER)) {
+        warning('Git Guardian is already installed in this repository.');
+        return;
+      }
+      // Append to existing hook
+      fs.appendFileSync(hookPath, '\n' + PRE_COMMIT_HOOK);
+      success('Git Guardian appended to existing pre-commit hook.');
+    } else {
+      fs.writeFileSync(hookPath, PRE_COMMIT_HOOK);
+    }
+
+    // Make executable (no-op on Windows, but harmless)
+    try {
+      fs.chmodSync(hookPath, 0o755);
+    } catch {
+      // Windows doesn't support chmod
+    }
+
+    printBox(
+      chalk.green.bold('Git Guardian installed') +
+        '\n\n' +
+        chalk.dim('Pre-commit hook added to: ') +
+        chalk.white(hookPath) +
+        '\n\n' +
+        chalk.dim('Now if you accidentally stage a .env file,\n') +
+        chalk.dim('git commit will be blocked automatically.'),
+      'green'
+    );
+  });

package/cli/src/commands/init.ts

@@ -0,0 +1,172 @@
+import { Command } from 'commander';
+import path from 'path';
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import {
+  requireAuth,
+  hasProjectConfig,
+  loadProjectConfig,
+  saveProjectConfig,
+  addToGitignore,
+} from '../lib/config.js';
+import { createProject, upsertVaultEntries } from '../lib/api.js';
+import { readEnvFile } from '../lib/env-file.js';
+import { encrypt } from '../lib/encryption.js';
+import { success, error, info, spinner, printBox } from '../lib/ui.js';
+
+export const initCommand = new Command('init')
+  .description('Link current directory to a Keyra project')
+  .action(async () => {
+    let config;
+    try {
+      config = requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    if (hasProjectConfig()) {
+      const existing = loadProjectConfig();
+      info(
+        `This project is already linked to vault project: ${chalk.bold(existing?.projectName)}`
+      );
+      info('Run `keyra push` or `keyra pull` to sync.');
+      return;
+    }
+
+    const folderName = path.basename(process.cwd());
+
+    const { name } = await inquirer.prompt([
+      {
+        type: 'input',
+        name: 'name',
+        message: 'Project name:',
+        default: folderName,
+        validate: (input: string) =>
+          input.trim().length > 0 || 'Name is required',
+      },
+    ]);
+
+    const s = spinner('Creating project...');
+    s.start();
+
+    let project;
+    try {
+      project = await createProject(name.trim());
+      s.stop();
+      success(`Project "${project.name}" created`);
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+      return;
+    }
+
+    // Check for existing .env file
+    const envData = readEnvFile();
+    if (envData) {
+      const varCount = Object.keys(envData.vars).length;
+      const { importVars } = await inquirer.prompt([
+        {
+          type: 'confirm',
+          name: 'importVars',
+          message: `Found ${envData.filename} with ${varCount} variable${varCount !== 1 ? 's' : ''}. Import them to your vault?`,
+          default: true,
+        },
+      ]);
+
+      if (importVars) {
+        const uploadSpinner = spinner('Encrypting and uploading...');
+        uploadSpinner.start();
+
+        try {
+          const entries = Object.entries(envData.vars).map(([key, value]) => {
+            const encrypted = encrypt(value, config.passphrase);
+            return {
+              key_name: key,
+              encrypted_value: encrypted.encrypted,
+              iv: encrypted.iv,
+              salt: encrypted.salt,
+              auth_tag: encrypted.authTag,
+              category: guessCategory(key),
+            };
+          });
+
+          await upsertVaultEntries(project.id, entries);
+          uploadSpinner.stop();
+          success(`Imported ${entries.length} variable${entries.length !== 1 ? 's' : ''} to vault`);
+        } catch (err: any) {
+          uploadSpinner.stop();
+          error(`Failed to import: ${err.message}`);
+        }
+      }
+    }
+
+    saveProjectConfig({
+      projectId: project.id,
+      projectName: project.name,
+    });
+
+    addToGitignore('.keyra.json');
+
+    printBox(
+      chalk.green.bold(`Project "${project.name}" created and linked.`) +
+        '\n\n' +
+        chalk.dim('Use ') +
+        chalk.white('keyra push') +
+        chalk.dim(' and ') +
+        chalk.white('keyra pull') +
+        chalk.dim(' to sync.')
+    );
+  });
+
+function guessCategory(key: string): string {
+  const k = key.toUpperCase();
+  if (k.includes('OPENAI') || k.includes('ANTHROPIC') || k.includes('AI'))
+    return 'ai';
+  if (
+    k.includes('DATABASE') ||
+    k.includes('DB_') ||
+    k.includes('POSTGRES') ||
+    k.includes('MYSQL') ||
+    k.includes('MONGO') ||
+    k.includes('REDIS') ||
+    k.includes('SUPABASE')
+  )
+    return 'database';
+  if (
+    k.includes('AUTH') ||
+    k.includes('JWT') ||
+    k.includes('SESSION') ||
+    k.includes('NEXTAUTH') ||
+    k.includes('CLERK')
+  )
+    return 'auth';
+  if (k.includes('STRIPE') || k.includes('PAYMENT') || k.includes('PAYPAL'))
+    return 'payment';
+  if (
+    k.includes('VERCEL') ||
+    k.includes('AWS') ||
+    k.includes('GCP') ||
+    k.includes('AZURE') ||
+    k.includes('HEROKU') ||
+    k.includes('DEPLOY')
+  )
+    return 'hosting';
+  if (
+    k.includes('SMTP') ||
+    k.includes('EMAIL') ||
+    k.includes('SENDGRID') ||
+    k.includes('RESEND') ||
+    k.includes('MAILGUN')
+  )
+    return 'email';
+  if (
+    k.includes('ANALYTICS') ||
+    k.includes('MIXPANEL') ||
+    k.includes('GA_') ||
+    k.includes('POSTHOG') ||
+    k.includes('SENTRY')
+  )
+    return 'analytics';
+  return 'general';
+}

package/cli/src/commands/list.ts

@@ -0,0 +1,60 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import { requireAuth } from '../lib/config.js';
+import { getProjects } from '../lib/api.js';
+import { error, info, spinner } from '../lib/ui.js';
+
+export const listCommand = new Command('list')
+  .alias('ls')
+  .description('List all your projects')
+  .action(async () => {
+    try {
+      requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    const s = spinner('Loading projects...');
+    s.start();
+
+    try {
+      const projects = await getProjects();
+      s.stop();
+
+      if (projects.length === 0) {
+        info('No projects yet. Run `keyra init` in a project folder.');
+        return;
+      }
+
+      console.log();
+      console.log(chalk.bold(`  ${projects.length} project${projects.length !== 1 ? 's' : ''}:`));
+      console.log();
+
+      // Calculate column widths
+      const maxName = Math.max(...projects.map((p) => p.name.length), 4);
+
+      // Header
+      console.log(
+        chalk.dim(
+          `  ${'Name'.padEnd(maxName + 2)}${'Vars'.padEnd(8)}Last Synced`
+        )
+      );
+      console.log(chalk.dim(`  ${'─'.repeat(maxName + 2 + 8 + 20)}`));
+
+      for (const project of projects) {
+        const name = chalk.green(project.name.padEnd(maxName + 2));
+        const vars = String(project.var_count).padEnd(8);
+        const synced = project.last_synced_at
+          ? new Date(project.last_synced_at).toLocaleDateString()
+          : chalk.dim('never');
+
+        console.log(`  ${name}${vars}${synced}`);
+      }
+
+      console.log();
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+    }
+  });

package/cli/src/commands/login.ts

@@ -0,0 +1,116 @@
+import { Command } from 'commander';
+import inquirer from 'inquirer';
+import open from 'open';
+import chalk from 'chalk';
+import { createDeviceCode, pollAuth } from '../lib/api.js';
+import { saveConfig } from '../lib/config.js';
+import { banner, spinner, success, error, printBox } from '../lib/ui.js';
+
+export const loginCommand = new Command('login')
+  .description('Authenticate with Keyra via browser')
+  .option('--api-url <url>', 'API URL', 'https://keyra.dev')
+  .action(async (options) => {
+    banner();
+
+    const baseUrl = options.apiUrl;
+    saveConfig({ apiUrl: baseUrl });
+
+    const s = spinner('Creating device code...');
+    s.start();
+
+    let deviceCode: string;
+    try {
+      const result = await createDeviceCode();
+      deviceCode = result.deviceCode;
+      s.stop();
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+      return;
+    }
+    const authUrl = `${baseUrl}/cli/auth?code=${deviceCode}`;
+
+    console.log();
+    console.log(chalk.dim('  Opening browser to authenticate...'));
+    console.log(chalk.dim(`  ${authUrl}`));
+    console.log();
+
+    try {
+      await open(authUrl);
+    } catch {
+      console.log(chalk.yellow('  Could not open browser automatically.'));
+      console.log(chalk.yellow(`  Open this URL manually: ${authUrl}`));
+    }
+
+    const pollSpinner = spinner('Waiting for you to sign in...');
+    pollSpinner.start();
+
+    const maxAttempts = 150; // 5 minutes at 2 second intervals
+    let accessToken: string | undefined;
+
+    for (let i = 0; i < maxAttempts; i++) {
+      await new Promise((resolve) => setTimeout(resolve, 2000));
+
+      try {
+        const result = await pollAuth(deviceCode);
+        if (result.status === 'authorized' && result.accessToken) {
+          accessToken = result.accessToken;
+          break;
+        }
+        if (result.status === 'expired') {
+          pollSpinner.stop();
+          error('Authentication timed out. Please try again.');
+          return;
+        }
+      } catch {
+        // Polling error, continue
+      }
+    }
+
+    pollSpinner.stop();
+
+    if (!accessToken) {
+      error('Authentication timed out. Please try again.');
+      return;
+    }
+
+    success('Signed in successfully!');
+    console.log();
+
+    const { passphrase } = await inquirer.prompt([
+      {
+        type: 'password',
+        name: 'passphrase',
+        message:
+          'Enter an encryption passphrase (this encrypts your secrets locally — remember it!):',
+        mask: '*',
+        validate: (input: string) =>
+          input.length >= 4 || 'Passphrase must be at least 4 characters',
+      },
+    ]);
+
+    const { confirm } = await inquirer.prompt([
+      {
+        type: 'password',
+        name: 'confirm',
+        message: 'Confirm passphrase:',
+        mask: '*',
+        validate: (input: string) =>
+          input === passphrase || 'Passphrases do not match',
+      },
+    ]);
+
+    saveConfig({
+      apiUrl: baseUrl,
+      accessToken,
+      passphrase,
+    });
+
+    printBox(
+      chalk.green.bold('You\'re logged in!') +
+        '\n\n' +
+        chalk.dim('Run ') +
+        chalk.white('keyra init') +
+        chalk.dim(' in a project to get started.')
+    );
+  });

package/cli/src/commands/logout.ts

@@ -0,0 +1,10 @@
+import { Command } from 'commander';
+import { clearConfig } from '../lib/config.js';
+import { success } from '../lib/ui.js';
+
+export const logoutCommand = new Command('logout')
+  .description('Clear stored credentials')
+  .action(() => {
+    clearConfig();
+    success('Logged out. Your vault data is still safe in the cloud.');
+  });

package/cli/src/commands/pull.ts

@@ -0,0 +1,94 @@
+import { Command } from 'commander';
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { requireAuth, requireProjectConfig } from '../lib/config.js';
+import { getVaultEntries, getProjects } from '../lib/api.js';
+import { decrypt } from '../lib/encryption.js';
+import { writeEnvFile } from '../lib/env-file.js';
+import { success, error, warning, spinner, promptSecret } from '../lib/ui.js';
+
+export const pullCommand = new Command('pull')
+  .description('Pull vault variables to local .env')
+  .option('-f, --file <filename>', 'Output filename', '.env')
+  .action(async (options) => {
+    let config;
+    try {
+      config = requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    let projectConfig;
+    try {
+      projectConfig = requireProjectConfig();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    // Check if project has a password
+    let projectPassword: string | null = null;
+    try {
+      const projects = await getProjects();
+      const project = projects.find((p) => p.id === projectConfig.projectId);
+      if (project?.has_project_password) {
+        projectPassword = await promptSecret('Project password: ');
+        const blob = JSON.parse(project.project_password_salt!) as { encrypted: string; iv: string; salt: string; authTag: string };
+        try {
+          const result = decrypt(blob.encrypted, blob.iv, blob.salt, blob.authTag, projectPassword);
+          if (result !== 'keyra-verified') {
+            error('Incorrect project password');
+            return;
+          }
+        } catch {
+          error('Incorrect project password');
+          return;
+        }
+      }
+    } catch (err: any) {
+      error('Failed to fetch project info: ' + err.message);
+      return;
+    }
+
+    const s = spinner('Pulling from vault...');
+    s.start();
+
+    try {
+      const entries = await getVaultEntries(projectConfig.projectId);
+
+      if (entries.length === 0) {
+        s.stop();
+        warning('No variables found in vault. Push some first with `keyra push`.');
+        return;
+      }
+
+      const vars: Record<string, string> = {};
+      for (const entry of entries) {
+        if (projectPassword) {
+          // Double decrypt: outer with vault passphrase, inner with project password
+          const innerJson = decrypt(entry.encrypted_value, entry.iv, entry.salt, entry.auth_tag, config.passphrase);
+          const inner = JSON.parse(innerJson) as { encrypted: string; iv: string; salt: string; authTag: string };
+          vars[entry.key_name] = decrypt(inner.encrypted, inner.iv, inner.salt, inner.authTag, projectPassword);
+        } else {
+          vars[entry.key_name] = decrypt(entry.encrypted_value, entry.iv, entry.salt, entry.auth_tag, config.passphrase);
+        }
+      }
+
+      const existed = fs.existsSync(path.join(process.cwd(), options.file));
+      writeEnvFile(vars, undefined, options.file);
+
+      s.stop();
+      success(
+        'Pulled ' + entries.length + ' variable' + (entries.length !== 1 ? 's' : '') + ' from vault -> ' + options.file + ' ' + chalk.dim('(' + projectConfig.projectName + ')')
+      );
+
+      if (existed) {
+        warning('Existing ' + options.file + ' was overwritten');
+      }
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+    }
+  });

package/cli/src/commands/push.ts

@@ -0,0 +1,118 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import { requireAuth, requireProjectConfig } from '../lib/config.js';
+import { upsertVaultEntries, getProjects } from '../lib/api.js';
+import { readEnvFile } from '../lib/env-file.js';
+import { encrypt, decrypt } from '../lib/encryption.js';
+import { success, error, warning, spinner, promptSecret } from '../lib/ui.js';
+
+export const pushCommand = new Command('push')
+  .description('Push local .env to vault')
+  .action(async () => {
+    let config;
+    try {
+      config = requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    let projectConfig;
+    try {
+      projectConfig = requireProjectConfig();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    const envData = readEnvFile();
+    if (!envData) {
+      warning('No .env file found in current directory.');
+      return;
+    }
+
+    const vars = envData.vars;
+    const varCount = Object.keys(vars).length;
+
+    if (varCount === 0) {
+      warning('No variables found in .env file.');
+      return;
+    }
+
+    // Check if project has a password
+    let projectPassword: string | null = null;
+    try {
+      const projects = await getProjects();
+      const project = projects.find((p) => p.id === projectConfig.projectId);
+      if (project?.has_project_password) {
+        projectPassword = await promptSecret('Project password: ');
+        const blob = JSON.parse(project.project_password_salt as string) as { encrypted: string; iv: string; salt: string; authTag: string };
+        try {
+          const result = decrypt(blob.encrypted, blob.iv, blob.salt, blob.authTag, projectPassword);
+          if (result !== 'keyra-verified') {
+            error('Incorrect project password');
+            return;
+          }
+        } catch {
+          error('Incorrect project password');
+          return;
+        }
+      }
+    } catch (err: any) {
+      error('Failed to fetch project info: ' + err.message);
+      return;
+    }
+
+    const s = spinner('Encrypting and uploading ' + varCount + ' variable' + (varCount !== 1 ? 's' : '') + '...');
+    s.start();
+
+    try {
+      const entries = Object.entries(vars).map(([key, value]) => {
+        let encrypted;
+        if (projectPassword) {
+          // Double encrypt: inner with project password, outer with vault passphrase
+          const inner = encrypt(value, projectPassword);
+          const innerJson = JSON.stringify(inner);
+          encrypted = encrypt(innerJson, config.passphrase);
+        } else {
+          encrypted = encrypt(value, config.passphrase);
+        }
+        return {
+          key_name: key,
+          encrypted_value: encrypted.encrypted,
+          iv: encrypted.iv,
+          salt: encrypted.salt,
+          auth_tag: encrypted.authTag,
+          category: guessCategory(key),
+        };
+      });
+
+      await upsertVaultEntries(projectConfig.projectId, entries);
+      s.stop();
+      success(
+        'Pushed ' + varCount + ' variable' + (varCount !== 1 ? 's' : '') + ' to vault ' + chalk.dim('(' + projectConfig.projectName + ')')
+      );
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+    }
+  });
+
+function guessCategory(key: string): string {
+  const k = key.toUpperCase();
+  if (k.includes('OPENAI') || k.includes('ANTHROPIC') || k.includes('AI'))
+    return 'ai';
+  if (k.includes('DATABASE') || k.includes('DB_') || k.includes('POSTGRES') || k.includes('MYSQL') || k.includes('MONGO') || k.includes('REDIS') || k.includes('SUPABASE'))
+    return 'database';
+  if (k.includes('AUTH') || k.includes('JWT') || k.includes('SESSION') || k.includes('NEXTAUTH') || k.includes('CLERK'))
+    return 'auth';
+  if (k.includes('STRIPE') || k.includes('PAYMENT') || k.includes('PAYPAL'))
+    return 'payment';
+  if (k.includes('VERCEL') || k.includes('AWS') || k.includes('GCP') || k.includes('AZURE') || k.includes('HEROKU'))
+    return 'hosting';
+  if (k.includes('SMTP') || k.includes('EMAIL') || k.includes('SENDGRID') || k.includes('RESEND') || k.includes('MAILGUN'))
+    return 'email';
+  if (k.includes('ANALYTICS') || k.includes('MIXPANEL') || k.includes('GA_') || k.includes('POSTHOG') || k.includes('SENTRY'))
+    return 'analytics';
+  return 'general';
+}