envrcctl 0.0.1__tar.gz

envrcctl-0.0.1/.gitignore

@@ -0,0 +1,11 @@
+
+.venv/
+.agent/
+.rules
+__pycache__/
+*.py[cod]
+.pytest_cache/
+.coverage
+htmlcov/
+.DS_Store
+.envrc

envrcctl-0.0.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Rio Fujita
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

envrcctl-0.0.1/PKG-INFO

@@ -0,0 +1,272 @@
+Metadata-Version: 2.4
+Name: envrcctl
+Version: 0.0.1
+Summary: Manage .envrc with managed blocks and OS-backed secrets.
+License: MIT License
+        
+        Copyright (c) 2026 Rio Fujita
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Requires-Python: >=3.14
+Requires-Dist: typer>=0.24.1
+Description-Content-Type: text/markdown
+
+# envrcctl
+
+envrcctl is a CLI tool that manages `.envrc` files safely through a managed
+block, with secrets stored in your OS key store instead of the file.
+
+It is designed for macOS first, with Linux support via SecretService.
+
+## Features
+
+- Safe, structured edits to `.envrc` (managed block only)
+- Non-secret environment variables (CRUD)
+- Secrets stored in Keychain (macOS) or SecretService (Linux)
+- Inheritance control (`source_up` on/off)
+- Exec-based secret injection (`envrcctl exec -- ...`)
+- Secret injection for direnv (`eval "$(envrcctl inject)"`, TTY-guarded)
+- Secret kinds (runtime/admin), with exec injecting runtime only
+- Secret get with clipboard default and TTY guard
+- Diagnostics and migration helpers
+- Shell completion scripts
+
+## Requirements
+
+- Python 3.14+
+- `direnv`
+- macOS Keychain (built-in) or Linux SecretService (`secret-tool`)
+
+## Installation
+
+### macOS (Homebrew)
+
+Tap and install:
+
+```sh
+brew tap rioriost/envrcctl
+brew install envrcctl
+```
+
+After release, Homebrew will download the release from GitHub.
+
+Install direnv with Homebrew:
+
+```sh
+brew install direnv
+```
+
+### Linux (pipx, recommended)
+
+```sh
+pipx install envrcctl
+```
+
+### Linux (uv)
+
+```sh
+uv tool install envrcctl
+```
+
+### From source (macOS/Linux)
+
+```sh
+git clone <REPO_URL>
+cd envrcctl
+uv sync
+uv run python -m envrcctl.main --help
+```
+
+## Quick Start
+
+1. Initialize a managed block in `.envrc`:
+
+```sh
+envrcctl init
+```
+
+If `.envrc` already exists, you'll be prompted to confirm. Use `--yes` to skip the prompt in non-interactive runs.
+
+2. Add non-secret variables:
+
+```sh
+envrcctl set FOO bar
+envrcctl get FOO
+envrcctl list
+```
+
+3. Enable inheritance:
+
+```sh
+envrcctl inherit on
+```
+
+4. Store a secret:
+
+```sh
+envrcctl secret set OPENAI_API_KEY --account openai:prod
+```
+
+5. Ensure your `.envrc` includes:
+
+```sh
+eval "$(envrcctl inject)"
+```
+
+6. Allow direnv:
+
+```sh
+direnv allow
+```
+
+## Commands
+
+### Non-secret variables
+
+```sh
+envrcctl set VAR value
+envrcctl unset VAR
+envrcctl get VAR
+envrcctl list
+```
+
+### Secrets
+
+```sh
+envrcctl secret set OPENAI_API_KEY --account openai:prod --kind runtime
+envrcctl secret set OPENAI_API_KEY --account openai:admin --kind admin
+envrcctl secret unset OPENAI_API_KEY
+envrcctl secret list
+envrcctl secret get OPENAI_API_KEY
+envrcctl secret get OPENAI_API_KEY --plain
+```
+
+For CI-safe input:
+
+```sh
+echo -n "$OPENAI_API_KEY" | envrcctl secret set OPENAI_API_KEY --account openai:prod --stdin
+```
+
+### Exec secrets without stdout
+
+```sh
+envrcctl exec -- python script.py
+envrcctl exec -k OPENAI_API_KEY -- python script.py
+```
+
+Exec injects runtime secrets only.
+
+### Inject secrets for direnv
+
+```sh
+envrcctl inject
+```
+
+Non-interactive runs are blocked unless `--force` is provided.
+
+### Effective view (masked)
+
+```sh
+envrcctl eval
+```
+
+### Diagnostics
+
+```sh
+envrcctl doctor
+```
+
+### Migration
+
+```sh
+envrcctl migrate
+```
+
+You'll be prompted when unmanaged exports or secret refs are detected. Use `--yes` to confirm in non-interactive runs.
+
+## Backend Selection (macOS/Linux)
+
+envrcctl selects a backend automatically by platform, or via `ENVRCCTL_BACKEND`.
+
+Supported schemes:
+
+- `kc` — macOS Keychain
+- `ss` — SecretService via `secret-tool`
+
+Example:
+
+```sh
+ENVRCCTL_BACKEND=ss envrcctl secret set OPENAI_API_KEY --account openai:prod
+```
+
+Secret references are stored as:
+
+```
+<scheme>:<service>:<account>:<kind>
+```
+
+`kind` is `runtime` or `admin` (default: `runtime`).
+
+Example:
+
+```
+kc:st.rio.envrcctl:openai:prod:runtime
+kc:st.rio.envrcctl:openai:admin:admin
+```
+
+## Shell Completion
+
+```sh
+envrcctl --install-completion
+envrcctl --show-completion bash
+envrcctl --show-completion zsh
+envrcctl --show-completion fish
+```
+
+Generated scripts are stored under `completions/`. To refresh:
+
+```sh
+uv run python scripts/generate_completions.py
+```
+
+## Security Notes
+
+- Secrets are never written to `.envrc`
+- Secrets are never passed in CLI arguments
+- `.envrc` updates are atomic
+- `inject` is blocked in non-interactive environments unless `--force` is provided
+- `secret get` is clipboard-only by default; plaintext output is TTY-guarded
+- The tool refuses to write to world-writable `.envrc`
+
+## Development
+
+```sh
+uv sync
+.venv/bin/envrcctl --help
+```
+
+## Acknowledgements
+
+Based on the article below, I added commands such as `exec`. Thank you for the helpful hints.  
+“[もう.envにAPIキーを平文で置くのはやめた — macOS Keychain管理CLI「LLM Key Ring」](https://zenn.dev/yottayoshida/articles/llm-key-ring-secure-api-key-management)”
+
+## License
+
+MIT

envrcctl-0.0.1/README.md

@@ -0,0 +1,242 @@
+# envrcctl
+
+envrcctl is a CLI tool that manages `.envrc` files safely through a managed
+block, with secrets stored in your OS key store instead of the file.
+
+It is designed for macOS first, with Linux support via SecretService.
+
+## Features
+
+- Safe, structured edits to `.envrc` (managed block only)
+- Non-secret environment variables (CRUD)
+- Secrets stored in Keychain (macOS) or SecretService (Linux)
+- Inheritance control (`source_up` on/off)
+- Exec-based secret injection (`envrcctl exec -- ...`)
+- Secret injection for direnv (`eval "$(envrcctl inject)"`, TTY-guarded)
+- Secret kinds (runtime/admin), with exec injecting runtime only
+- Secret get with clipboard default and TTY guard
+- Diagnostics and migration helpers
+- Shell completion scripts
+
+## Requirements
+
+- Python 3.14+
+- `direnv`
+- macOS Keychain (built-in) or Linux SecretService (`secret-tool`)
+
+## Installation
+
+### macOS (Homebrew)
+
+Tap and install:
+
+```sh
+brew tap rioriost/envrcctl
+brew install envrcctl
+```
+
+After release, Homebrew will download the release from GitHub.
+
+Install direnv with Homebrew:
+
+```sh
+brew install direnv
+```
+
+### Linux (pipx, recommended)
+
+```sh
+pipx install envrcctl
+```
+
+### Linux (uv)
+
+```sh
+uv tool install envrcctl
+```
+
+### From source (macOS/Linux)
+
+```sh
+git clone <REPO_URL>
+cd envrcctl
+uv sync
+uv run python -m envrcctl.main --help
+```
+
+## Quick Start
+
+1. Initialize a managed block in `.envrc`:
+
+```sh
+envrcctl init
+```
+
+If `.envrc` already exists, you'll be prompted to confirm. Use `--yes` to skip the prompt in non-interactive runs.
+
+2. Add non-secret variables:
+
+```sh
+envrcctl set FOO bar
+envrcctl get FOO
+envrcctl list
+```
+
+3. Enable inheritance:
+
+```sh
+envrcctl inherit on
+```
+
+4. Store a secret:
+
+```sh
+envrcctl secret set OPENAI_API_KEY --account openai:prod
+```
+
+5. Ensure your `.envrc` includes:
+
+```sh
+eval "$(envrcctl inject)"
+```
+
+6. Allow direnv:
+
+```sh
+direnv allow
+```
+
+## Commands
+
+### Non-secret variables
+
+```sh
+envrcctl set VAR value
+envrcctl unset VAR
+envrcctl get VAR
+envrcctl list
+```
+
+### Secrets
+
+```sh
+envrcctl secret set OPENAI_API_KEY --account openai:prod --kind runtime
+envrcctl secret set OPENAI_API_KEY --account openai:admin --kind admin
+envrcctl secret unset OPENAI_API_KEY
+envrcctl secret list
+envrcctl secret get OPENAI_API_KEY
+envrcctl secret get OPENAI_API_KEY --plain
+```
+
+For CI-safe input:
+
+```sh
+echo -n "$OPENAI_API_KEY" | envrcctl secret set OPENAI_API_KEY --account openai:prod --stdin
+```
+
+### Exec secrets without stdout
+
+```sh
+envrcctl exec -- python script.py
+envrcctl exec -k OPENAI_API_KEY -- python script.py
+```
+
+Exec injects runtime secrets only.
+
+### Inject secrets for direnv
+
+```sh
+envrcctl inject
+```
+
+Non-interactive runs are blocked unless `--force` is provided.
+
+### Effective view (masked)
+
+```sh
+envrcctl eval
+```
+
+### Diagnostics
+
+```sh
+envrcctl doctor
+```
+
+### Migration
+
+```sh
+envrcctl migrate
+```
+
+You'll be prompted when unmanaged exports or secret refs are detected. Use `--yes` to confirm in non-interactive runs.
+
+## Backend Selection (macOS/Linux)
+
+envrcctl selects a backend automatically by platform, or via `ENVRCCTL_BACKEND`.
+
+Supported schemes:
+
+- `kc` — macOS Keychain
+- `ss` — SecretService via `secret-tool`
+
+Example:
+
+```sh
+ENVRCCTL_BACKEND=ss envrcctl secret set OPENAI_API_KEY --account openai:prod
+```
+
+Secret references are stored as:
+
+```
+<scheme>:<service>:<account>:<kind>
+```
+
+`kind` is `runtime` or `admin` (default: `runtime`).
+
+Example:
+
+```
+kc:st.rio.envrcctl:openai:prod:runtime
+kc:st.rio.envrcctl:openai:admin:admin
+```
+
+## Shell Completion
+
+```sh
+envrcctl --install-completion
+envrcctl --show-completion bash
+envrcctl --show-completion zsh
+envrcctl --show-completion fish
+```
+
+Generated scripts are stored under `completions/`. To refresh:
+
+```sh
+uv run python scripts/generate_completions.py
+```
+
+## Security Notes
+
+- Secrets are never written to `.envrc`
+- Secrets are never passed in CLI arguments
+- `.envrc` updates are atomic
+- `inject` is blocked in non-interactive environments unless `--force` is provided
+- `secret get` is clipboard-only by default; plaintext output is TTY-guarded
+- The tool refuses to write to world-writable `.envrc`
+
+## Development
+
+```sh
+uv sync
+.venv/bin/envrcctl --help
+```
+
+## Acknowledgements
+
+Based on the article below, I added commands such as `exec`. Thank you for the helpful hints.  
+“[もう.envにAPIキーを平文で置くのはやめた — macOS Keychain管理CLI「LLM Key Ring」](https://zenn.dev/yottayoshida/articles/llm-key-ring-secure-api-key-management)”
+
+## License
+
+MIT

envrcctl-0.0.1/completions/envrcctl.bash

@@ -0,0 +1,11 @@
+
+_envrcctl_completion() {
+    local IFS=$'
+'
+    COMPREPLY=( $( env COMP_WORDS="${COMP_WORDS[*]}" \
+                   COMP_CWORD=$COMP_CWORD \
+                   _ENVRCCTL_COMPLETE=complete_bash $1 ) )
+    return 0
+}
+
+complete -o default -F _envrcctl_completion envrcctl

envrcctl-0.0.1/completions/envrcctl.fish

@@ -0,0 +1 @@
+complete --command envrcctl --no-files --arguments "(env _ENVRCCTL_COMPLETE=complete_fish _TYPER_COMPLETE_FISH_ACTION=get-args _TYPER_COMPLETE_ARGS=(commandline -cp) envrcctl)" --condition "env _ENVRCCTL_COMPLETE=complete_fish _TYPER_COMPLETE_FISH_ACTION=is-args _TYPER_COMPLETE_ARGS=(commandline -cp) envrcctl"

envrcctl-0.0.1/completions/envrcctl.zsh

@@ -0,0 +1,8 @@
+
+#compdef envrcctl
+
+_envrcctl_completion() {
+  eval $(env _TYPER_COMPLETE_ARGS="${words[1,$CURRENT]}" _ENVRCCTL_COMPLETE=complete_zsh envrcctl)
+}
+
+compdef _envrcctl_completion envrcctl

envrcctl-0.0.1/pyproject.toml

@@ -0,0 +1,31 @@
+[project]
+name = "envrcctl"
+version = "0.0.1"
+description = "Manage .envrc with managed blocks and OS-backed secrets."
+readme = "README.md"
+license = { file = "LICENSE" }
+requires-python = ">=3.14"
+dependencies = [
+    "typer>=0.24.1",
+]
+
+[project.scripts]
+envrcctl = "envrcctl.main:main"
+
+[build-system]
+requires = ["hatchling>=1.24.2"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/envrcctl"]
+include = ["completions/**"]
+
+[tool.hatch.build.targets.sdist]
+include = ["src/envrcctl/**", "completions/**", "README.md", "LICENSE", "pyproject.toml"]
+
+[dependency-groups]
+dev = [
+    "pytest>=9.0.2",
+    "pytest-cov>=7.0.0",
+    "bandit>=1.7.10",
+]

envrcctl-0.0.1/src/envrcctl/__init__.py

@@ -0,0 +1 @@
+"""envrcctl package."""