relic 0.4.4 → 0.5.0

package/bin/relic

@@ -0,0 +1,37 @@
+#!/usr/bin/env node
+
+import { execFileSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { platform } from "node:os";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const isWindows = platform() === "win32";
+const binaryName = isWindows ? "relic.exe" : "relic";
+const binary = join(__dirname, binaryName);
+
+if (!existsSync(binary)) {
+  console.error(
+    "relic: Binary not found. Run the postinstall script or reinstall:\n" +
+    "  npm install -g relic\n\n" +
+    "Or download manually from:\n" +
+    "  https://github.com/heycupola/relic/releases"
+  );
+  process.exit(1);
+}
+
+try {
+  execFileSync(binary, process.argv.slice(2), {
+    stdio: "inherit",
+    env: process.env,
+  });
+} catch (err) {
+  if (err.status !== null && err.status !== undefined) {
+    process.exit(err.status);
+  }
+  if (err.signal) {
+    process.kill(process.pid, err.signal);
+  }
+  throw err;
+}

package/package.json

@@ -1,69 +1,31 @@
 {
   "name": "relic",
-  "version": "0.4.4",
+  "version": "0.5.0",
   "description": "The Relic CLI for managing and sharing secrets. Encrypted on your device, never exposed to anyone else. Not even us.",
-  "keywords": [
-    "cli",
-    "tui"
-  ],
+  "license": "MIT",
+  "type": "module",
   "repository": {
     "type": "git",
-    "url": "https://github.com/heycupola/relic.git",
-    "directory": "apps/cli"
+    "url": "https://github.com/heycupola/relic.git"
   },
+  "keywords": [
+    "cli",
+    "secrets",
+    "encryption",
+    "security"
+  ],
   "author": "Can Vardar",
-  "license": "MIT",
-  "module": "index.ts",
-  "type": "module",
   "bin": {
-    "relic": "dist/cli.js"
+    "relic": "bin/relic"
   },
   "scripts": {
-    "build": "bun run scripts/build.ts",
-    "build:runner": "cd ../../packages/runner && cargo build --release",
-    "prepublishOnly": "bun run build",
-    "dev:cli": "DEV=true bun run build:runner && bun run index.ts",
-    "log:watch": "bun run ../../packages/logger/scripts/watch.ts",
-    "lint": "biome check --write .",
-    "format": "biome format --write .",
-    "check-types": "tsc --noEmit",
-    "test": "bun test"
+    "postinstall": "node postinstall.mjs"
   },
   "files": [
-    "dist/**",
-    "prebuilds/**",
-    "README.md"
+    "bin/",
+    "postinstall.mjs"
   ],
-  "dependencies": {
-    "argon2": "^0.41.1"
-  },
-  "optionalDependencies": {
-    "@opentui/core-darwin-arm64": "0.1.65",
-    "@opentui/core-darwin-x64": "0.1.65",
-    "@opentui/core-linux-x64": "0.1.65",
-    "@opentui/core-win32-x64": "0.1.65"
-  },
-  "devDependencies": {
-    "@clack/prompts": "^0.11.0",
-    "@repo/auth": "*",
-    "@repo/backend": "*",
-    "@repo/crypto": "*",
-    "@repo/logger": "*",
-    "@repo/tui": "*",
-    "@repo/typescript-config": "*",
-    "@types/bun": "latest",
-    "bun-types": "^1.3.1",
-    "commander": "^13.1.0",
-    "convex": "catalog:",
-    "open": "^11.0.0",
-    "ora": "^8.2.0",
-    "picocolors": "^1.1.1",
-    "smol-toml": "^1.6.0"
-  },
-  "peerDependencies": {
-    "typescript": "^5"
-  },
   "engines": {
     "node": ">=18"
   }
-}
+}

package/postinstall.mjs

@@ -0,0 +1,102 @@
+import { execSync } from "node:child_process";
+import { createWriteStream, existsSync, mkdirSync, chmodSync, renameSync, unlinkSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { platform, arch } from "node:os";
+import { get } from "node:https";
+import { createGunzip } from "node:zlib";
+import { readFileSync } from "node:fs";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, "package.json"), "utf8"));
+const version = pkg.version;
+
+const PLATFORM_MAP = {
+  "darwin-arm64": { archive: `relic-darwin-arm64.tar.gz`, binary: "relic" },
+  "darwin-x64": { archive: `relic-darwin-x64.tar.gz`, binary: "relic" },
+  "linux-x64": { archive: `relic-linux-x64.tar.gz`, binary: "relic" },
+  "win32-x64": { archive: `relic-win32-x64.zip`, binary: "relic.exe" },
+};
+
+const currentPlatform = `${platform()}-${arch()}`;
+const target = PLATFORM_MAP[currentPlatform];
+
+if (!target) {
+  console.warn(
+    `[relic] Unsupported platform: ${currentPlatform}. ` +
+    `Supported: ${Object.keys(PLATFORM_MAP).join(", ")}`
+  );
+  process.exit(0);
+}
+
+const binDir = join(__dirname, "bin");
+const binaryPath = join(binDir, target.binary);
+
+if (existsSync(binaryPath)) {
+  process.exit(0);
+}
+
+const url = `https://github.com/heycupola/relic/releases/download/v${version}/${target.archive}`;
+
+function download(url) {
+  return new Promise((resolve, reject) => {
+    get(url, (res) => {
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        return download(res.headers.location).then(resolve, reject);
+      }
+      if (res.statusCode !== 200) {
+        return reject(new Error(`Download failed: HTTP ${res.statusCode} for ${url}`));
+      }
+      resolve(res);
+    }).on("error", reject);
+  });
+}
+
+async function extractTarGz(stream, destDir) {
+  const tmpFile = join(destDir, "_tmp.tar.gz");
+  await new Promise((resolve, reject) => {
+    const ws = createWriteStream(tmpFile);
+    stream.pipe(ws);
+    ws.on("finish", resolve);
+    ws.on("error", reject);
+  });
+  execSync(`tar -xzf "${tmpFile}" -C "${destDir}"`, { stdio: "ignore" });
+  unlinkSync(tmpFile);
+}
+
+async function extractZip(stream, destDir) {
+  const tmpFile = join(destDir, "_tmp.zip");
+  await new Promise((resolve, reject) => {
+    const ws = createWriteStream(tmpFile);
+    stream.pipe(ws);
+    ws.on("finish", resolve);
+    ws.on("error", reject);
+  });
+  execSync(`unzip -o -q "${tmpFile}" -d "${destDir}"`, { stdio: "ignore" });
+  unlinkSync(tmpFile);
+}
+
+try {
+  mkdirSync(binDir, { recursive: true });
+
+  console.log(`[relic] Downloading ${target.archive} for ${currentPlatform}...`);
+  const stream = await download(url);
+
+  if (target.archive.endsWith(".tar.gz")) {
+    await extractTarGz(stream, binDir);
+  } else {
+    await extractZip(stream, binDir);
+  }
+
+  if (existsSync(binaryPath)) {
+    chmodSync(binaryPath, 0o755);
+  }
+
+  console.log(`[relic] Installed successfully.`);
+} catch (err) {
+  console.warn(
+    `[relic] Failed to download binary: ${err.message}\n` +
+    `[relic] You can download manually from: https://github.com/heycupola/relic/releases`
+  );
+  process.exit(0);
+}

package/README.md

@@ -1,129 +0,0 @@
-# Relic CLI
-
-Zero-knowledge secret layer CLI. Fetches encrypted secrets from the server, decrypts them locally, and injects them into the process environment.
-
-## Installation
-
-```bash
-bun install
-```
-
-## Commands
-
-| Command | Description |
-|---------|-------------|
-| `relic` | Launch the TUI (default) |
-| `relic login` | Authenticate via device code flow |
-| `relic logout` | Clear session, cached keys, and password |
-| `relic whoami` | Show current user (name, email, plan) |
-| `relic projects` | List projects with environments and folders |
-| `relic init` | Create `relic.toml` and `.relic/` directory |
-| `relic run` | Run a command with secrets injected |
-| `relic telemetry status` | Show telemetry status |
-| `relic telemetry enable` | Enable telemetry |
-| `relic telemetry disable` | Disable telemetry |
-
-### `relic run`
-
-```bash
-relic run -e <environment> [options] -- <command>
-```
-
-| Flag | Description |
-|------|-------------|
-| `-e, --environment` | Environment name (required) |
-| `-f, --folder` | Folder name |
-| `-s, --scope` | `client`, `server`, or `shared` |
-| `-p, --project` | Project ID (overrides `relic.toml`) |
-
-```bash
-relic run -e production -- npm run deploy
-relic run -e staging -f database -- ./migrate.sh
-relic run -e production -s client -- npm run build
-```
-
-## Configuration
-
-`relic.toml` in project root:
-
-```toml
-project_id = "<uuid>"
-```
-
-Created by `relic init`. The CLI walks up from the current directory to find it.
-
-## Runner (FFI)
-
-Secret injection uses a Rust binary (`packages/runner`) loaded via Bun FFI (`dlopen`). The runner:
-
-- Spawns the child process with a clean environment (`env_clear()`)
-- Injects only the decrypted secrets
-- Forwards signals (SIGTERM, SIGINT)
-- Uses `Zeroizing` for secret memory and disables core dumps
-
-Prebuilt binaries in `prebuilds/` for: `darwin-arm64`, `darwin-x64`, `linux-x64`, `win32-x64`.
-
-## Caching
-
-Local SQLite cache at `.relic/cache.db` (relative to `relic.toml` location). Used in session mode only; API key mode always fetches fresh data.
-
-**Cached data:** environment/folder ID mappings, encrypted secrets, encrypted project key.
-
-**Invalidation:** on each `relic run`, the CLI compares local `lastCachedAt` against the backend `updatedAt`. Stale cache triggers a fresh fetch. Key rotation invalidates all caches.
-
-Scope filtering (`--scope`) is applied locally against cached data.
-
-## CI/CD
-
-Use API keys instead of interactive login:
-
-| Variable | Description |
-|----------|-------------|
-| `RELIC_API_KEY` | API key for authentication |
-| `RELIC_PASSWORD` | Master password for decryption |
-| `RELIC_PROJECT_ID` | Project ID (optional if `relic.toml` exists) |
-| `CONVEX_SITE_URL` | Convex HTTP actions URL |
-
-### GitHub Actions
-
-```yaml
-- name: Deploy with secrets
-  env:
-    RELIC_API_KEY: ${{ secrets.RELIC_API_KEY }}
-    RELIC_PASSWORD: ${{ secrets.RELIC_PASSWORD }}
-    RELIC_PROJECT_ID: ${{ secrets.RELIC_PROJECT_ID }}
-    CONVEX_URL: ${{ secrets.CONVEX_URL }}
-    CONVEX_SITE_URL: ${{ secrets.CONVEX_SITE_URL }}
-  run: bunx relic run -e production -- npm run deploy
-```
-
-## Structure
-
-```
-├── index.ts            # Entry point (commander setup)
-├── commands/
-│   ├── init.ts         # relic init
-│   ├── login.ts        # relic login
-│   ├── logout.ts       # relic logout
-│   ├── whoami.ts       # relic whoami
-│   ├── projects.ts     # relic projects
-│   ├── run.ts          # relic run
-│   └── telemetry.ts    # relic telemetry
-├── lib/
-│   ├── api.ts          # Convex API client, secret export
-│   ├── config.ts       # relic.toml loading/saving
-│   ├── crypto.ts       # Secret decryption helpers
-│   └── types.ts        # SecretScope type
-├── ffi/
-│   ├── bridge.ts       # RunnerBridge FFI wrapper
-│   ├── helper.ts       # Library loading (dlopen)
-│   └── constants.ts    # URLs
-└── helpers/
-    └── cache.ts        # SQLite cache
-```
-
-## Development
-
-```bash
-bun run index.ts
-```