varcrypt 0.0.1 → 0.1.1

package/README.md

@@ -0,0 +1,89 @@
+# varcrypt
+
+CLI for [VarCrypt](https://varcrypt.vercel.app) — pull AES-256-GCM encrypted environment variables from the cloud directly into your terminal.
+
+## Requirements
+
+Node.js 18 or later.
+
+## Installation
+
+```bash
+npm install -g varcrypt
+```
+
+## Quick start
+
+**1. Generate an API token**
+
+Go to **VarCrypt → Settings → API Tokens** and create a new token. Copy the `vc_…` value — it's only shown once.
+
+**2. Save the token locally**
+
+```bash
+varcrypt login
+# Paste your API token:
+```
+
+The token is stored in `~/.varcrypt/config.json`.
+
+**3. Pull secrets**
+
+```bash
+varcrypt pull <project-slug> <environment>
+```
+
+Example:
+
+```bash
+varcrypt pull my-app production
+# DATABASE_URL=postgres://...
+# API_KEY=sk-...
+```
+
+Pipe directly into a process:
+
+```bash
+env $(varcrypt pull my-app production) node server.js
+```
+
+Or source as shell exports:
+
+```bash
+source <(varcrypt pull my-app production --output export)
+```
+
+## Commands
+
+### `varcrypt login`
+
+Prompts for an API token and saves it to `~/.varcrypt/config.json`.
+
+### `varcrypt pull <project> <env> [options]`
+
+Prints secrets for the given project and environment as `KEY=value` lines.
+
+| Option | Description |
+|---|---|
+| `--output export` | Print as `export KEY="value"` instead of `KEY=value` |
+| `--host <url>` | Override the API host (default: `http://localhost:3000`) |
+
+The `--host` flag is useful for self-hosted deployments:
+
+```bash
+varcrypt pull my-app staging --host https://varcrypt.example.com
+```
+
+## How it works
+
+Secrets are encrypted with AES-256-GCM at rest. The CLI sends your API token in the `Authorization` header; the server decrypts and returns the plaintext values over HTTPS. Your token is scoped to a single organization — it cannot read secrets from other organizations.
+
+## Security
+
+- Tokens are stored in `~/.varcrypt/config.json` with default file permissions. Protect this file like you would an SSH key.
+- Always pull over HTTPS in production. The default `localhost:3000` host is intended for local development only.
+- Rotate tokens in the VarCrypt dashboard if one is compromised.
+
+## License
+
+MIT

package/index.mjs

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+import { readFileSync, writeFileSync, mkdirSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import * as readline from "readline/promises";
+
+const CONFIG_DIR = join(homedir(), ".varcrypt");
+const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+const DEFAULT_HOST = "http://localhost:3000";
+
+function loadConfig() {
+  try {
+    return JSON.parse(readFileSync(CONFIG_FILE, "utf8"));
+  } catch {
+    return {};
+  }
+}
+
+function saveConfig(config) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+
+async function login() {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const token = await rl.question("Paste your API token: ");
+  rl.close();
+
+  const trimmed = token.trim();
+  if (!trimmed.startsWith("vc_")) {
+    console.error("Invalid token — must start with vc_");
+    process.exit(1);
+  }
+
+  const config = loadConfig();
+  config.token = trimmed;
+  saveConfig(config);
+  console.log("Token saved to ~/.varcrypt/config.json");
+}
+
+async function pull(project, env, opts) {
+  const config = loadConfig();
+  if (!config.token) {
+    console.error("Not logged in. Run: varcrypt login");
+    process.exit(1);
+  }
+
+  const host = opts.host ?? config.host ?? DEFAULT_HOST;
+  const url = `${host}/api/secrets?project=${encodeURIComponent(project)}&env=${encodeURIComponent(env)}`;
+
+  const res = await fetch(url, {
+    headers: { Authorization: `Bearer ${config.token}` },
+  });
+
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({}));
+    console.error(`Error ${res.status}: ${body.error ?? res.statusText}`);
+    process.exit(1);
+  }
+
+  const { secrets } = await res.json();
+
+  if (opts.output === "export") {
+    for (const [k, v] of Object.entries(secrets)) {
+      console.log(`export ${k}="${v}"`);
+    }
+  } else {
+    for (const [k, v] of Object.entries(secrets)) {
+      console.log(`${k}=${v}`);
+    }
+  }
+}
+
+function usage() {
+  console.log(`
+varcrypt <command> [options]
+
+Commands:
+  login                          Save your API token
+  pull <project> <env>           Print secrets as KEY=value
+    --output export              Print as export KEY="value" instead
+    --host <url>                 Override API host (default: http://localhost:3000)
+`);
+}
+
+const [,, cmd, ...args] = process.argv;
+
+if (cmd === "login") {
+  await login();
+} else if (cmd === "pull") {
+  const [project, env, ...rest] = args;
+  if (!project || !env) { usage(); process.exit(1); }
+  const opts = {};
+  for (let i = 0; i < rest.length; i++) {
+    if (rest[i] === "--output") opts.output = rest[++i];
+    if (rest[i] === "--host") opts.host = rest[++i];
+  }
+  await pull(project, env, opts);
+} else {
+  usage();
+}

package/package.json

@@ -1,13 +1,17 @@
-{
-  "name": "varcrypt",
-  "version": "0.0.1",
-  "description": "Encrypted environment variable sharing for dev teams",
-  "main": "index.js",
-  "keywords": ["env", "secrets", "environment", "cli", "devtools"],
-  "author": "jsg994",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/jsg994/varcrypt"
-  }
-}
+{
+  "name": "varcrypt",
+  "version": "0.1.1",
+  "description": "CLI for VarCrypt — pull encrypted secrets from the cloud",
+  "type": "module",
+  "bin": {
+    "varcrypt": "./index.mjs"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "index.mjs",
+    "README.md"
+  ],
+  "license": "MIT"
+}

package/index.js

@@ -1 +0,0 @@
-// VarCrypt - coming soon