whisper-secrets 0.2.0

package/README.md

@@ -0,0 +1,110 @@
+# whisper-secrets
+
+Zero-knowledge `.env` secret manager for teams. Encrypt, store, and share secrets — secrets are encrypted before leaving your machine. No signup, no accounts.
+
+## Install
+
+```bash
+npm install -g whisper-secrets
+```
+
+## Features
+
+- **Client-side encryption**: AES-256-GCM encryption with PBKDF2 key derivation — your server never sees plaintext
+- **Team sharing**: Initialize a project, share the passphrase link, and teammates can pull secrets instantly
+- **Ephemeral secrets**: One-time share links with auto-expiration and optional self-destruct
+- **`.env` workflow**: Push, pull, import, rotate, and remove secrets — works with your existing `.env` files
+
+## Quick Start
+
+```bash
+# Initialize a project (generates passphrase + .whisperrc config)
+whisper-secrets init
+
+# Share the generated link with your team
+# Teammates clone the repo, then:
+whisper-secrets pull
+```
+
+## Managed Secrets (`.env` workflow)
+
+```bash
+# Initialize a project
+whisper-secrets init
+whisper-secrets init --url https://your-server.com
+
+# Import an existing .env file (encrypts & uploads every entry)
+whisper-secrets import
+
+# Push a single secret
+whisper-secrets push DATABASE_URL
+
+# Pull all secrets into .env
+whisper-secrets pull
+
+# Rotate a secret's value
+whisper-secrets rotate DATABASE_URL
+
+# Delete a secret
+whisper-secrets remove DATABASE_URL
+```
+
+## Ephemeral Secrets (one-time sharing)
+
+```bash
+# Share a secret (default: 1h expiration, self-destruct on)
+whisper-secrets share --expiration 1h
+
+# Share without self-destruct
+whisper-secrets share --expiration 24h --no-self-destruct
+
+# Retrieve a secret by URL or ID
+whisper-secrets get https://whisper.example.com/get_secret?shared_secret_id=UUID
+```
+
+## How It Works
+
+1. `whisper-secrets init` generates a random passphrase and creates `.whisperrc`
+2. The passphrase derives an encryption key (PBKDF2-SHA256, 600k iterations) and an auth token
+3. `push` / `import` encrypt secrets client-side, then upload the ciphertext to the server
+4. `pull` downloads ciphertext and decrypts locally
+5. The server only stores encrypted blobs — zero knowledge of your secrets
+
+**Files created:**
+- `.whisperrc` — project config (URL + passphrase). Add to `.gitignore`
+- `.env.whisper` — mapping of secret names to server IDs. Commit this to git
+- `.env` — plaintext secrets, generated by `pull`. Add to `.gitignore`
+
+## Security
+
+- **AES-256-GCM** authenticated encryption with unique nonce per secret
+- **PBKDF2-SHA256** key derivation (600,000 iterations)
+- **Bearer token** authentication derived from the same passphrase
+- **No plaintext** ever leaves your machine or is stored on the server
+
+## Supported Platforms
+
+| Platform | Architecture |
+|----------|-------------|
+| Linux | x64, arm64 |
+| macOS | arm64 (Apple Silicon) |
+| Windows | x64 |
+
+## Self-hosting
+
+Whisper is open source. You can host your own server:
+
+```bash
+# See full setup instructions
+git clone https://github.com/quentinved/Whisper
+```
+
+Then point the CLI to your server:
+
+```bash
+whisper-secrets init --url https://your-whisper-instance.com
+```
+
+## License
+
+MIT — [github.com/quentinved/Whisper](https://github.com/quentinved/Whisper)

package/bin/whisper-secrets

@@ -0,0 +1,49 @@
+#!/usr/bin/env node
+
+const { execFileSync } = require("child_process");
+const os = require("os");
+const path = require("path");
+
+const PLATFORMS = {
+  "darwin-arm64": "@whisper-secrets/darwin-arm64",
+  "linux-arm64": "@whisper-secrets/linux-arm64",
+  "linux-x64": "@whisper-secrets/linux-x64",
+  "win32-x64": "@whisper-secrets/win32-x64",
+};
+
+const platform = os.platform();
+const arch = os.arch();
+const key = `${platform}-${arch}`;
+const pkg = PLATFORMS[key];
+
+if (!pkg) {
+  console.error(
+    `Unsupported platform: ${platform}-${arch}. ` +
+    `Supported: ${Object.keys(PLATFORMS).join(", ")}`
+  );
+  process.exit(1);
+}
+
+let binPath;
+try {
+  const pkgDir = path.dirname(require.resolve(`${pkg}/package.json`));
+  const ext = platform === "win32" ? ".exe" : "";
+  binPath = path.join(pkgDir, "bin", `whisper-secrets${ext}`);
+} catch (e) {
+  console.error(
+    `Could not find package ${pkg}. ` +
+    `Make sure optional dependencies are installed (do not use --no-optional).`
+  );
+  process.exit(1);
+}
+
+try {
+  const result = execFileSync(binPath, process.argv.slice(2), {
+    stdio: "inherit",
+  });
+} catch (e) {
+  if (e.status !== null) {
+    process.exit(e.status);
+  }
+  throw e;
+}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "whisper-secrets",
+  "version": "0.2.0",
+  "description": "Secure, encrypted secret management CLI for teams. Zero-knowledge .env manager with client-side AES-256-GCM encryption.",
+  "license": "MIT",
+  "author": "Quentin Vedrenne",
+  "homepage": "https://whisper.quentinvedrenne.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/quentinved/Whisper"
+  },
+  "bugs": {
+    "url": "https://github.com/quentinved/Whisper/issues"
+  },
+  "keywords": [
+    "secrets",
+    "env",
+    "dotenv",
+    "encryption",
+    "aes-256-gcm",
+    "secret-management",
+    "cli",
+    "zero-knowledge"
+  ],
+  "bin": {
+    "whisper-secrets": "bin/whisper-secrets"
+  },
+  "files": [
+    "bin/",
+    "README.md"
+  ],
+  "optionalDependencies": {
+    "@whisper-secrets/linux-x64": "0.2.0",
+    "@whisper-secrets/linux-arm64": "0.2.0",
+    "@whisper-secrets/darwin-arm64": "0.2.0",
+    "@whisper-secrets/win32-x64": "0.2.0"
+  },
+  "engines": {
+    "node": ">=16"
+  }
+}