relic 0.4.4 → 0.6.0

package/README.md

@@ -1,11 +1,36 @@
-# Relic CLI
+# Relic
 
-Zero-knowledge secret layer CLI. Fetches encrypted secrets from the server, decrypts them locally, and injects them into the process environment.
+Zero-knowledge secret layer for your projects. Encrypted on your device, never exposed to anyone else. Not even us.
 
 ## Installation
 
 ```bash
-bun install
+# npm
+npm install -g relic
+
+# Homebrew
+brew install heycupola/tap/relic
+
+# Download binary
+curl -fsSL https://github.com/heycupola/relic/releases/latest/download/relic-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m).tar.gz | tar -xz -C /usr/local/bin
+```
+
+## Usage
+
+```bash
+# Launch the TUI
+relic
+
+# Authenticate
+relic login
+
+# Initialize a project
+relic init
+
+# Run a command with secrets injected
+relic run -e production -- npm run deploy
+relic run -e staging -f database -- ./migrate.sh
+relic run -e production -s client -- npm run build
 ```
 
 ## Commands
@@ -14,20 +39,14 @@ bun install
 |---------|-------------|
 | `relic` | Launch the TUI (default) |
 | `relic login` | Authenticate via device code flow |
-| `relic logout` | Clear session, cached keys, and password |
-| `relic whoami` | Show current user (name, email, plan) |
+| `relic logout` | Clear session and cached data |
+| `relic whoami` | Show current user |
 | `relic projects` | List projects with environments and folders |
-| `relic init` | Create `relic.toml` and `.relic/` directory |
+| `relic init` | Create `relic.toml` for the current project |
 | `relic run` | Run a command with secrets injected |
-| `relic telemetry status` | Show telemetry status |
-| `relic telemetry enable` | Enable telemetry |
-| `relic telemetry disable` | Disable telemetry |
+| `relic telemetry` | Manage anonymous usage data collection |
 
-### `relic run`
-
-```bash
-relic run -e <environment> [options] -- <command>
-```
+### `relic run` options
 
 | Flag | Description |
 |------|-------------|
@@ -36,94 +55,36 @@ relic run -e <environment> [options] -- <command>
 | `-s, --scope` | `client`, `server`, or `shared` |
 | `-p, --project` | Project ID (overrides `relic.toml`) |
 
-```bash
-relic run -e production -- npm run deploy
-relic run -e staging -f database -- ./migrate.sh
-relic run -e production -s client -- npm run build
-```
-
-## Configuration
-
-`relic.toml` in project root:
-
-```toml
-project_id = "<uuid>"
-```
-
-Created by `relic init`. The CLI walks up from the current directory to find it.
-
-## Runner (FFI)
-
-Secret injection uses a Rust binary (`packages/runner`) loaded via Bun FFI (`dlopen`). The runner:
-
-- Spawns the child process with a clean environment (`env_clear()`)
-- Injects only the decrypted secrets
-- Forwards signals (SIGTERM, SIGINT)
-- Uses `Zeroizing` for secret memory and disables core dumps
-
-Prebuilt binaries in `prebuilds/` for: `darwin-arm64`, `darwin-x64`, `linux-x64`, `win32-x64`.
-
-## Caching
-
-Local SQLite cache at `.relic/cache.db` (relative to `relic.toml` location). Used in session mode only; API key mode always fetches fresh data.
-
-**Cached data:** environment/folder ID mappings, encrypted secrets, encrypted project key.
-
-**Invalidation:** on each `relic run`, the CLI compares local `lastCachedAt` against the backend `updatedAt`. Stale cache triggers a fresh fetch. Key rotation invalidates all caches.
-
-Scope filtering (`--scope`) is applied locally against cached data.
-
 ## CI/CD
 
-Use API keys instead of interactive login:
-
-| Variable | Description |
-|----------|-------------|
-| `RELIC_API_KEY` | API key for authentication |
-| `RELIC_PASSWORD` | Master password for decryption |
-| `RELIC_PROJECT_ID` | Project ID (optional if `relic.toml` exists) |
-| `CONVEX_SITE_URL` | Convex HTTP actions URL |
-
-### GitHub Actions
+Use API keys for non-interactive environments:
 
 ```yaml
+# GitHub Actions
 - name: Deploy with secrets
   env:
     RELIC_API_KEY: ${{ secrets.RELIC_API_KEY }}
     RELIC_PASSWORD: ${{ secrets.RELIC_PASSWORD }}
-    RELIC_PROJECT_ID: ${{ secrets.RELIC_PROJECT_ID }}
-    CONVEX_URL: ${{ secrets.CONVEX_URL }}
-    CONVEX_SITE_URL: ${{ secrets.CONVEX_SITE_URL }}
-  run: bunx relic run -e production -- npm run deploy
+  run: npx relic run -e production -- npm run deploy
 ```
 
-## Structure
+| Variable | Description |
+|----------|-------------|
+| `RELIC_API_KEY` | API key for authentication |
+| `RELIC_PASSWORD` | Master password for decryption |
+| `RELIC_PROJECT_ID` | Project ID (optional if `relic.toml` exists) |
 
-```
-├── index.ts            # Entry point (commander setup)
-├── commands/
-│   ├── init.ts         # relic init
-│   ├── login.ts        # relic login
-│   ├── logout.ts       # relic logout
-│   ├── whoami.ts       # relic whoami
-│   ├── projects.ts     # relic projects
-│   ├── run.ts          # relic run
-│   └── telemetry.ts    # relic telemetry
-├── lib/
-│   ├── api.ts          # Convex API client, secret export
-│   ├── config.ts       # relic.toml loading/saving
-│   ├── crypto.ts       # Secret decryption helpers
-│   └── types.ts        # SecretScope type
-├── ffi/
-│   ├── bridge.ts       # RunnerBridge FFI wrapper
-│   ├── helper.ts       # Library loading (dlopen)
-│   └── constants.ts    # URLs
-└── helpers/
-    └── cache.ts        # SQLite cache
-```
+## Supported Platforms
+
+| Platform | Architecture |
+|----------|-------------|
+| macOS | ARM64 (Apple Silicon) |
+| macOS | x64 (Intel) |
+| Linux | x64 |
+| Windows | x64 |
 
-## Development
+## Links
 
-```bash
-bun run index.ts
-```
+- [Website](https://heyrelic.com)
+- [Documentation](https://docs.heyrelic.com)
+- [GitHub](https://github.com/heycupola/relic)

package/bin/relic

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+
+import { execFileSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { createRequire } from "node:module";
+import { platform, arch } from "node:os";
+
+const PLATFORM_MAP = {
+  "darwin-arm64": "relic-cli-darwin-arm64",
+  "darwin-x64": "relic-cli-darwin-x64",
+  "linux-x64": "relic-cli-linux-x64",
+  "win32-x64": "relic-cli-windows-x64",
+};
+
+const currentPlatform = `${platform()}-${arch()}`;
+const pkg = PLATFORM_MAP[currentPlatform];
+
+if (!pkg) {
+  console.error(
+    `relic: Unsupported platform ${currentPlatform}.\n` +
+    `Supported: ${Object.keys(PLATFORM_MAP).join(", ")}\n` +
+    `Download manually from: https://github.com/heycupola/relic/releases`
+  );
+  process.exit(1);
+}
+
+const require = createRequire(import.meta.url);
+const isWindows = platform() === "win32";
+const binaryName = isWindows ? "relic.exe" : "relic";
+
+let binary;
+try {
+  const pkgJson = require.resolve(`${pkg}/package.json`);
+  binary = join(dirname(pkgJson), "bin", binaryName);
+} catch {
+  console.error(
+    `relic: Platform package ${pkg} is not installed.\n` +
+    `Try reinstalling: npm install -g relic\n\n` +
+    `If the problem persists, download from:\n` +
+    `  https://github.com/heycupola/relic/releases`
+  );
+  process.exit(1);
+}
+
+if (!existsSync(binary)) {
+  console.error(
+    `relic: Binary not found at ${binary}\n` +
+    `Try reinstalling: npm install -g relic`
+  );
+  process.exit(1);
+}
+
+try {
+  execFileSync(binary, process.argv.slice(2), {
+    stdio: "inherit",
+    env: process.env,
+  });
+} catch (err) {
+  if (err.status !== null && err.status !== undefined) {
+    process.exit(err.status);
+  }
+  if (err.signal) {
+    process.kill(process.pid, err.signal);
+  }
+  throw err;
+}

package/package.json

@@ -1,69 +1,34 @@
 {
   "name": "relic",
-  "version": "0.4.4",
+  "version": "0.6.0",
   "description": "The Relic CLI for managing and sharing secrets. Encrypted on your device, never exposed to anyone else. Not even us.",
-  "keywords": [
-    "cli",
-    "tui"
-  ],
+  "license": "MIT",
+  "type": "module",
   "repository": {
     "type": "git",
-    "url": "https://github.com/heycupola/relic.git",
-    "directory": "apps/cli"
+    "url": "https://github.com/heycupola/relic.git"
   },
+  "keywords": [
+    "cli",
+    "secrets",
+    "encryption",
+    "security"
+  ],
   "author": "Can Vardar",
-  "license": "MIT",
-  "module": "index.ts",
-  "type": "module",
   "bin": {
-    "relic": "dist/cli.js"
-  },
-  "scripts": {
-    "build": "bun run scripts/build.ts",
-    "build:runner": "cd ../../packages/runner && cargo build --release",
-    "prepublishOnly": "bun run build",
-    "dev:cli": "DEV=true bun run build:runner && bun run index.ts",
-    "log:watch": "bun run ../../packages/logger/scripts/watch.ts",
-    "lint": "biome check --write .",
-    "format": "biome format --write .",
-    "check-types": "tsc --noEmit",
-    "test": "bun test"
+    "relic": "bin/relic"
   },
   "files": [
-    "dist/**",
-    "prebuilds/**",
+    "bin/",
     "README.md"
   ],
-  "dependencies": {
-    "argon2": "^0.41.1"
-  },
   "optionalDependencies": {
-    "@opentui/core-darwin-arm64": "0.1.65",
-    "@opentui/core-darwin-x64": "0.1.65",
-    "@opentui/core-linux-x64": "0.1.65",
-    "@opentui/core-win32-x64": "0.1.65"
-  },
-  "devDependencies": {
-    "@clack/prompts": "^0.11.0",
-    "@repo/auth": "*",
-    "@repo/backend": "*",
-    "@repo/crypto": "*",
-    "@repo/logger": "*",
-    "@repo/tui": "*",
-    "@repo/typescript-config": "*",
-    "@types/bun": "latest",
-    "bun-types": "^1.3.1",
-    "commander": "^13.1.0",
-    "convex": "catalog:",
-    "open": "^11.0.0",
-    "ora": "^8.2.0",
-    "picocolors": "^1.1.1",
-    "smol-toml": "^1.6.0"
-  },
-  "peerDependencies": {
-    "typescript": "^5"
+    "relic-cli-darwin-arm64": "0.6.0",
+    "relic-cli-darwin-x64": "0.6.0",
+    "relic-cli-linux-x64": "0.6.0",
+    "relic-cli-windows-x64": "0.6.0"
   },
   "engines": {
     "node": ">=18"
   }
-}
+}