relic 0.1.0 → 0.4.0

package/README.md

@@ -0,0 +1,129 @@
+# Relic CLI
+
+Zero-knowledge secret layer CLI. Fetches encrypted secrets from the server, decrypts them locally, and injects them into the process environment.
+
+## Installation
+
+```bash
+bun install
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `relic` | Launch the TUI (default) |
+| `relic login` | Authenticate via device code flow |
+| `relic logout` | Clear session, cached keys, and password |
+| `relic whoami` | Show current user (name, email, plan) |
+| `relic projects` | List projects with environments and folders |
+| `relic init` | Create `relic.toml` and `.relic/` directory |
+| `relic run` | Run a command with secrets injected |
+| `relic telemetry status` | Show telemetry status |
+| `relic telemetry enable` | Enable telemetry |
+| `relic telemetry disable` | Disable telemetry |
+
+### `relic run`
+
+```bash
+relic run -e <environment> [options] -- <command>
+```
+
+| Flag | Description |
+|------|-------------|
+| `-e, --environment` | Environment name (required) |
+| `-f, --folder` | Folder name |
+| `-s, --scope` | `client`, `server`, or `shared` |
+| `-p, --project` | Project ID (overrides `relic.toml`) |
+
+```bash
+relic run -e production -- npm run deploy
+relic run -e staging -f database -- ./migrate.sh
+relic run -e production -s client -- npm run build
+```
+
+## Configuration
+
+`relic.toml` in project root:
+
+```toml
+project_id = "<uuid>"
+```
+
+Created by `relic init`. The CLI walks up from the current directory to find it.
+
+## Runner (FFI)
+
+Secret injection uses a Rust binary (`packages/runner`) loaded via Bun FFI (`dlopen`). The runner:
+
+- Spawns the child process with a clean environment (`env_clear()`)
+- Injects only the decrypted secrets
+- Forwards signals (SIGTERM, SIGINT)
+- Uses `Zeroizing` for secret memory and disables core dumps
+
+Prebuilt binaries in `prebuilds/` for: `darwin-arm64`, `darwin-x64`, `linux-x64`, `win32-x64`.
+
+## Caching
+
+Local SQLite cache at `.relic/cache.db` (relative to `relic.toml` location). Used in session mode only; API key mode always fetches fresh data.
+
+**Cached data:** environment/folder ID mappings, encrypted secrets, encrypted project key.
+
+**Invalidation:** on each `relic run`, the CLI compares local `lastCachedAt` against the backend `updatedAt`. Stale cache triggers a fresh fetch. Key rotation invalidates all caches.
+
+Scope filtering (`--scope`) is applied locally against cached data.
+
+## CI/CD
+
+Use API keys instead of interactive login:
+
+| Variable | Description |
+|----------|-------------|
+| `RELIC_API_KEY` | API key for authentication |
+| `RELIC_PASSWORD` | Master password for decryption |
+| `RELIC_PROJECT_ID` | Project ID (optional if `relic.toml` exists) |
+| `CONVEX_SITE_URL` | Convex HTTP actions URL |
+
+### GitHub Actions
+
+```yaml
+- name: Deploy with secrets
+  env:
+    RELIC_API_KEY: ${{ secrets.RELIC_API_KEY }}
+    RELIC_PASSWORD: ${{ secrets.RELIC_PASSWORD }}
+    RELIC_PROJECT_ID: ${{ secrets.RELIC_PROJECT_ID }}
+    CONVEX_URL: ${{ secrets.CONVEX_URL }}
+    CONVEX_SITE_URL: ${{ secrets.CONVEX_SITE_URL }}
+  run: bunx relic run -e production -- npm run deploy
+```
+
+## Structure
+
+```
+├── index.ts            # Entry point (commander setup)
+├── commands/
+│   ├── init.ts         # relic init
+│   ├── login.ts        # relic login
+│   ├── logout.ts       # relic logout
+│   ├── whoami.ts       # relic whoami
+│   ├── projects.ts     # relic projects
+│   ├── run.ts          # relic run
+│   └── telemetry.ts    # relic telemetry
+├── lib/
+│   ├── api.ts          # Convex API client, secret export
+│   ├── config.ts       # relic.toml loading/saving
+│   ├── crypto.ts       # Secret decryption helpers
+│   └── types.ts        # SecretScope type
+├── ffi/
+│   ├── bridge.ts       # RunnerBridge FFI wrapper
+│   ├── helper.ts       # Library loading (dlopen)
+│   └── constants.ts    # URLs
+└── helpers/
+    └── cache.ts        # SQLite cache
+```
+
+## Development
+
+```bash
+bun run index.ts
+```

package/commands/init.ts

@@ -0,0 +1,105 @@
+import * as p from "@clack/prompts";
+import { AuthenticationError, validateSession } from "@repo/auth";
+import { createLogger, trackEvent } from "@repo/logger";
+import pc from "picocolors";
+
+const log = createLogger("cli");
+
+import { getApi, type ProjectListItem } from "../lib/api";
+import {
+  configExists,
+  createConfig,
+  createRelicDir,
+  getConfigFilePath,
+  saveConfig,
+} from "../lib/config";
+
+interface ProjectOption extends ProjectListItem {
+  isShared: boolean;
+}
+
+export default async function init() {
+  p.intro(pc.bgCyan(pc.black(" relic init ")));
+
+  if (await configExists()) {
+    p.log.warn(pc.yellow("Already initialized"));
+    p.outro(pc.dim("Delete relic.toml to re-initialize"));
+    return;
+  }
+
+  const spinner = p.spinner();
+  spinner.start("Checking authentication...");
+
+  const sessionValidation = await validateSession();
+  if (!sessionValidation.isValid || sessionValidation.isExpired) {
+    spinner.stop("Not logged in");
+    p.log.error(pc.yellow("Not logged in"));
+    p.outro(pc.dim("Run `relic login` to authenticate"));
+    process.exit(1);
+  }
+
+  spinner.message("Loading projects...");
+
+  try {
+    const api = getApi();
+    const [ownedProjects, sharedProjects] = await Promise.all([
+      api.listProjects(),
+      api.listSharedProjects(),
+    ]);
+
+    const allProjects: ProjectOption[] = [
+      ...ownedProjects.filter((p) => !p.isArchived).map((p) => ({ ...p, isShared: false })),
+      ...sharedProjects.filter((p) => !p.isArchived).map((p) => ({ ...p, isShared: true })),
+    ];
+
+    spinner.stop("Projects loaded");
+
+    if (allProjects.length === 0) {
+      p.log.warn(pc.yellow("No projects found. Run `relic` to create a new project"));
+      process.exit(1);
+    }
+
+    const selectedProjectId = await p.select({
+      message: "Select a project",
+      options: allProjects.map((project) => ({
+        value: project.id,
+        label: project.isShared ? `${project.name} ${pc.dim("(shared)")}` : project.name,
+      })),
+    });
+
+    if (p.isCancel(selectedProjectId)) {
+      p.cancel("Operation cancelled");
+      process.exit(0);
+    }
+
+    const selectedProject = allProjects.find((p) => p.id === selectedProjectId);
+    if (!selectedProject) {
+      p.log.error(pc.red("Failed to find selected project"));
+      process.exit(1);
+    }
+
+    spinner.start("Saving configuration...");
+    const config = createConfig(selectedProject.id);
+    await saveConfig(config);
+    await createRelicDir();
+    spinner.stop("Configuration saved");
+
+    trackEvent("cli_project_initialized", { success: true });
+    p.log.success(pc.green(`Initialized Relic for ${selectedProject.name}`));
+    p.outro(pc.dim(`Config saved to ${getConfigFilePath()}`));
+  } catch (err) {
+    spinner.stop("Failed");
+
+    if (err instanceof AuthenticationError) {
+      p.log.error(pc.yellow("Not logged in"));
+      p.outro(pc.dim("Run `relic login` to authenticate"));
+      process.exit(1);
+    }
+
+    log.error("Init failed", err);
+    trackEvent("cli_project_initialized", { success: false });
+    const message = err instanceof Error ? err.message : "Failed to initialize";
+    p.log.error(pc.red(`Error: ${message}`));
+    process.exit(1);
+  }
+}

package/commands/login.ts

@@ -0,0 +1,85 @@
+import {
+  type DeviceAuthStatus,
+  type DeviceCodeResponse,
+  deviceAuth,
+  validateSession,
+} from "@repo/auth";
+import { createLogger, trackEvent } from "@repo/logger";
+import ora from "ora";
+import pc from "picocolors";
+
+const log = createLogger("cli");
+
+function formatCode(code: string): string {
+  if (code.includes("-")) return code;
+  if (code.length === 8) return `${code.slice(0, 4)}-${code.slice(4)}`;
+  return code;
+}
+
+export default async function login() {
+  const spinner = ora("Connecting to server...").start();
+
+  try {
+    // Check if already logged in
+    const sessionValidation = await validateSession();
+    if (sessionValidation.isValid && !sessionValidation.isExpired) {
+      spinner.succeed(pc.green("Already logged in"));
+      return;
+    }
+
+    trackEvent("cli_login_started");
+
+    let userCode: string | null = null;
+    let verificationUri: string | null = null;
+    let currentStatus: DeviceAuthStatus | "starting" | "approved" = "starting";
+
+    const result = await deviceAuth.startAuth({
+      onCodeReceived: (code: DeviceCodeResponse) => {
+        userCode = code.user_code;
+        verificationUri = code.verification_uri_complete;
+
+        spinner.stop();
+        console.log();
+        console.log("Your verification code:");
+        console.log();
+        console.log(`  ${pc.bold(pc.green(formatCode(userCode)))}`);
+        console.log();
+        if (verificationUri) {
+          console.log(pc.dim(`Opening browser to: ${verificationUri}`));
+        }
+        console.log();
+        spinner.start("Waiting for authorization...");
+      },
+      onStatusChange: (newStatus: DeviceAuthStatus) => {
+        currentStatus = newStatus;
+      },
+      onSuccess: () => {
+        currentStatus = "approved";
+      },
+      onError: (error: Error) => {
+        spinner.fail(pc.red(`Error: ${error.message}`));
+        process.exit(1);
+      },
+    });
+
+    if (result.success) {
+      trackEvent("cli_login_completed", { success: true });
+      spinner.succeed(pc.green("Login successful!"));
+    } else if (result.error) {
+      trackEvent("cli_login_completed", { success: false, reason: currentStatus });
+      if ((currentStatus as string) === "denied") {
+        spinner.fail(pc.red("Authorization denied"));
+      } else if ((currentStatus as string) === "expired") {
+        spinner.fail(pc.red("Code expired. Please try again."));
+      } else {
+        spinner.fail(pc.red(`Error: ${result.error.message}`));
+      }
+      process.exit(1);
+    }
+  } catch (err) {
+    log.error("Login failed", err);
+    trackEvent("cli_login_completed", { success: false });
+    spinner.fail(pc.red(err instanceof Error ? err.message : String(err)));
+    process.exit(1);
+  }
+}

package/commands/logout.ts

@@ -0,0 +1,39 @@
+import {
+  clearCachedUserKeys,
+  clearPassword,
+  clearSession,
+  getUserKeyCacheDb,
+  validateSession,
+} from "@repo/auth";
+import { createLogger, trackEvent } from "@repo/logger";
+import ora from "ora";
+import pc from "picocolors";
+
+const log = createLogger("cli");
+
+export default async function logout() {
+  const spinner = ora("Checking session...").start();
+
+  try {
+    const session = await validateSession();
+
+    if (!session.isValid) {
+      spinner.warn(pc.yellow("Not logged in"));
+      return;
+    }
+
+    spinner.text = "Logging out...";
+    const userKeyDb = await getUserKeyCacheDb();
+    clearCachedUserKeys(userKeyDb);
+    await clearSession();
+    await clearPassword();
+    trackEvent("cli_logout", { success: true });
+    spinner.succeed(pc.green("Logged out"));
+  } catch (err) {
+    log.error("Logout failed", err);
+    trackEvent("cli_logout", { success: false });
+    const message = err instanceof Error ? err.message : "Failed to logout";
+    spinner.fail(pc.red(`Error: ${message}`));
+    process.exit(1);
+  }
+}

package/commands/projects.ts

@@ -0,0 +1,154 @@
+import { validateSession } from "@repo/auth";
+import { trackEvent } from "@repo/logger";
+import ora from "ora";
+import pc from "picocolors";
+import { type Environment, type Folder, getApi, type ProjectListItem } from "../lib/api";
+
+interface ProjectWithDetails extends ProjectListItem {
+  isShared: boolean;
+  environments: Array<Environment & { folders: Folder[] }>;
+}
+
+const TREE = {
+  BRANCH: "├── ",
+  LAST_BRANCH: "└── ",
+  VERTICAL: "│   ",
+  EMPTY: "    ",
+} as const;
+
+function renderProjectTree(projects: ProjectWithDetails[]): void {
+  if (projects.length === 0) {
+    console.log(pc.dim("No projects found"));
+    console.log(pc.dim("Create one at app.relic.so"));
+    return;
+  }
+
+  console.log(pc.bold("Your Projects"));
+  console.log();
+
+  for (let projectIndex = 0; projectIndex < projects.length; projectIndex++) {
+    const project = projects[projectIndex]!;
+    const isLastProject = projectIndex === projects.length - 1;
+    const projectPrefix = isLastProject ? TREE.LAST_BRANCH : TREE.BRANCH;
+    const childPrefix = isLastProject ? TREE.EMPTY : TREE.VERTICAL;
+
+    const badges: string[] = [];
+    if (project.isShared) badges.push("shared");
+    if (project.isArchived) badges.push("archived");
+    const badgeText = badges.length > 0 ? pc.dim(` (${badges.join(", ")})`) : "";
+
+    const projectName = project.isArchived ? pc.dim(project.name) : pc.bold(project.name);
+
+    console.log(`${pc.dim(projectPrefix)}${projectName}${badgeText}`);
+
+    for (let envIndex = 0; envIndex < project.environments.length; envIndex++) {
+      const env = project.environments[envIndex]!;
+      const isLastEnv = envIndex === project.environments.length - 1;
+      const envPrefix = isLastEnv ? TREE.LAST_BRANCH : TREE.BRANCH;
+      const envChildPrefix = isLastEnv ? TREE.EMPTY : TREE.VERTICAL;
+
+      const envColor = env.color || "white";
+      const colorFn =
+        envColor in pc
+          ? (pc as unknown as Record<string, (s: string) => string>)[envColor]!
+          : (s: string) => s;
+      console.log(`${pc.dim(childPrefix)}${pc.dim(envPrefix)}${colorFn(env.name)}`);
+
+      for (let folderIndex = 0; folderIndex < env.folders.length; folderIndex++) {
+        const folder = env.folders[folderIndex]!;
+        const isLastFolder = folderIndex === env.folders.length - 1;
+        const folderPrefix = isLastFolder ? TREE.LAST_BRANCH : TREE.BRANCH;
+
+        console.log(
+          `${pc.dim(childPrefix)}${pc.dim(envChildPrefix)}${pc.dim(folderPrefix)}${pc.dim(`${folder.name}/`)}`,
+        );
+      }
+    }
+  }
+}
+
+export default async function projects() {
+  const spinner = ora("Connecting...").start();
+
+  try {
+    const sessionValidation = await validateSession();
+    if (!sessionValidation.isValid || sessionValidation.isExpired) {
+      spinner.stop();
+      console.log(pc.yellow("Not logged in"));
+      console.log(pc.dim("Run `relic login` to authenticate"));
+      return;
+    }
+
+    const api = getApi();
+
+    spinner.text = "Fetching projects...";
+    const [ownedProjects, sharedProjects] = await Promise.all([
+      api.listProjects(),
+      api.listSharedProjects(),
+    ]);
+
+    const allProjects: ProjectWithDetails[] = [
+      ...ownedProjects.map((p) => ({
+        ...p,
+        isShared: false,
+        environments: [] as Array<Environment & { folders: Folder[] }>,
+      })),
+      ...sharedProjects.map((p) => ({
+        ...p,
+        isShared: true,
+        environments: [] as Array<Environment & { folders: Folder[] }>,
+      })),
+    ];
+
+    spinner.text = "Fetching environments...";
+    const projectsWithEnvs = await Promise.all(
+      allProjects.map(async (project) => {
+        try {
+          const environments = await api.getProjectEnvironments(project.id);
+          return {
+            ...project,
+            environments: environments.map((e) => ({ ...e, folders: [] as Folder[] })),
+          };
+        } catch {
+          return { ...project, environments: [] };
+        }
+      }),
+    );
+
+    spinner.text = "Fetching folders...";
+    const projectsWithFolders = await Promise.all(
+      projectsWithEnvs.map(async (project) => {
+        const environmentsWithFolders = await Promise.all(
+          project.environments.map(async (env) => {
+            try {
+              const data = await api.getEnvironmentData(env.id);
+              return { ...env, folders: data.folders };
+            } catch {
+              return { ...env, folders: [] };
+            }
+          }),
+        );
+        return { ...project, environments: environmentsWithFolders };
+      }),
+    );
+
+    trackEvent("cli_command_executed", { command: "projects", count: projectsWithFolders.length });
+    spinner.stop();
+    renderProjectTree(projectsWithFolders);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Failed to fetch projects";
+    // Handle auth-related errors more gracefully
+    if (
+      message.includes("Not authenticated") ||
+      message.includes("JWT") ||
+      message.includes("token")
+    ) {
+      spinner.stop();
+      console.log(pc.yellow("Not logged in"));
+      console.log(pc.dim("Run `relic login` to authenticate"));
+      return;
+    }
+    spinner.fail(pc.red(`Error: ${message}`));
+    process.exit(1);
+  }
+}