hidehub 0.1.0__tar.gz

hidehub-0.1.0/PKG-INFO

@@ -0,0 +1,76 @@
+Metadata-Version: 2.4
+Name: hidehub
+Version: 0.1.0
+Summary: Secure secret management for developers — zero-knowledge .env vault
+Author: HideHub
+License: MIT
+Project-URL: Homepage, https://hidehub.com
+Project-URL: Documentation, https://hidehub.com/docs
+Project-URL: Repository, https://github.com/marcus20232023/hidehub_claude
+Keywords: secrets,environment-variables,dotenv,encryption,security,cli
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: typer>=0.12.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: cryptography>=43.0.0
+
+# HideHub CLI
+
+Secure secret management from the command line.
+
+## Installation
+
+```bash
+pip install hidehub-cli
+```
+
+Or install from source:
+
+```bash
+cd client
+pip install -e .
+```
+
+## Quick Start
+
+```bash
+# Authenticate
+hidehub init --email you@example.com
+
+# Push secrets from a .env file
+hidehub push --env-file .env.production --project my-api
+
+# List projects
+hidehub list
+
+# List secrets in a project
+hidehub list --project my-api
+
+# Run a command with secrets injected
+hidehub run --project my-api -- npm start
+
+# Rotate a secret
+hidehub rotate OPENAI_API_KEY --project my-api
+
+# Export secrets for shell eval
+eval "$(hidehub use --project my-api --export)"
+```
+
+## CI/CD Usage
+
+Set the `HIDEHUB_API_KEY` environment variable to use API key auth instead of JWT:
+
+```bash
+export HIDEHUB_API_KEY=hh_your_api_key_here
+hidehub run --project my-api -- npm test
+```

hidehub-0.1.0/README.md

@@ -0,0 +1,50 @@
+# HideHub CLI
+
+Secure secret management from the command line.
+
+## Installation
+
+```bash
+pip install hidehub-cli
+```
+
+Or install from source:
+
+```bash
+cd client
+pip install -e .
+```
+
+## Quick Start
+
+```bash
+# Authenticate
+hidehub init --email you@example.com
+
+# Push secrets from a .env file
+hidehub push --env-file .env.production --project my-api
+
+# List projects
+hidehub list
+
+# List secrets in a project
+hidehub list --project my-api
+
+# Run a command with secrets injected
+hidehub run --project my-api -- npm start
+
+# Rotate a secret
+hidehub rotate OPENAI_API_KEY --project my-api
+
+# Export secrets for shell eval
+eval "$(hidehub use --project my-api --export)"
+```
+
+## CI/CD Usage
+
+Set the `HIDEHUB_API_KEY` environment variable to use API key auth instead of JWT:
+
+```bash
+export HIDEHUB_API_KEY=hh_your_api_key_here
+hidehub run --project my-api -- npm test
+```

hidehub-0.1.0/hidehub.egg-info/PKG-INFO

@@ -0,0 +1,76 @@
+Metadata-Version: 2.4
+Name: hidehub
+Version: 0.1.0
+Summary: Secure secret management for developers — zero-knowledge .env vault
+Author: HideHub
+License: MIT
+Project-URL: Homepage, https://hidehub.com
+Project-URL: Documentation, https://hidehub.com/docs
+Project-URL: Repository, https://github.com/marcus20232023/hidehub_claude
+Keywords: secrets,environment-variables,dotenv,encryption,security,cli
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: typer>=0.12.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: cryptography>=43.0.0
+
+# HideHub CLI
+
+Secure secret management from the command line.
+
+## Installation
+
+```bash
+pip install hidehub-cli
+```
+
+Or install from source:
+
+```bash
+cd client
+pip install -e .
+```
+
+## Quick Start
+
+```bash
+# Authenticate
+hidehub init --email you@example.com
+
+# Push secrets from a .env file
+hidehub push --env-file .env.production --project my-api
+
+# List projects
+hidehub list
+
+# List secrets in a project
+hidehub list --project my-api
+
+# Run a command with secrets injected
+hidehub run --project my-api -- npm start
+
+# Rotate a secret
+hidehub rotate OPENAI_API_KEY --project my-api
+
+# Export secrets for shell eval
+eval "$(hidehub use --project my-api --export)"
+```
+
+## CI/CD Usage
+
+Set the `HIDEHUB_API_KEY` environment variable to use API key auth instead of JWT:
+
+```bash
+export HIDEHUB_API_KEY=hh_your_api_key_here
+hidehub run --project my-api -- npm test
+```

hidehub-0.1.0/hidehub.egg-info/SOURCES.txt

@@ -0,0 +1,22 @@
+README.md
+pyproject.toml
+hidehub.egg-info/PKG-INFO
+hidehub.egg-info/SOURCES.txt
+hidehub.egg-info/dependency_links.txt
+hidehub.egg-info/entry_points.txt
+hidehub.egg-info/requires.txt
+hidehub.egg-info/top_level.txt
+hidehub_cli/__init__.py
+hidehub_cli/__main__.py
+hidehub_cli/api_client.py
+hidehub_cli/cli.py
+hidehub_cli/config.py
+hidehub_cli/crypto.py
+hidehub_cli/env_parser.py
+hidehub_cli/commands/__init__.py
+hidehub_cli/commands/init.py
+hidehub_cli/commands/list.py
+hidehub_cli/commands/push.py
+hidehub_cli/commands/rotate.py
+hidehub_cli/commands/run.py
+hidehub_cli/commands/use.py

hidehub-0.1.0/hidehub.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

hidehub-0.1.0/hidehub.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+hidehub = hidehub_cli.cli:app

hidehub-0.1.0/hidehub.egg-info/requires.txt

@@ -0,0 +1,3 @@
+typer>=0.12.0
+httpx>=0.27.0
+cryptography>=43.0.0

hidehub-0.1.0/hidehub.egg-info/top_level.txt

@@ -0,0 +1 @@
+hidehub_cli

hidehub-0.1.0/hidehub_cli/__init__.py

@@ -0,0 +1,3 @@
+"""HideHub CLI — Secure secret management from the command line."""
+
+__version__ = "0.1.0"

hidehub-0.1.0/hidehub_cli/__main__.py

@@ -0,0 +1,5 @@
+"""Entry point for `python -m hidehub_cli`."""
+
+from hidehub_cli.cli import app
+
+app()

hidehub-0.1.0/hidehub_cli/api_client.py

@@ -0,0 +1,114 @@
+"""HTTP client for HideHub API."""
+
+from __future__ import annotations
+
+import httpx
+
+from hidehub_cli.config import get_server, get_token, get_api_key
+
+
+class ApiError(Exception):
+    def __init__(self, status: int, detail: str):
+        self.status = status
+        self.detail = detail
+        super().__init__(detail)
+
+
+class HideHubClient:
+    def __init__(self, server: str | None = None, token: str | None = None):
+        self.server = server or get_server()
+        self.token = token or get_token()
+        self.api_key = get_api_key()
+
+    def _headers(self) -> dict[str, str]:
+        headers: dict[str, str] = {"Content-Type": "application/json"}
+        if self.api_key:
+            headers["X-API-Key"] = self.api_key
+        elif self.token:
+            headers["Authorization"] = f"Bearer {self.token}"
+        return headers
+
+    def _request(self, method: str, path: str, **kwargs) -> dict:
+        url = f"{self.server}{path}"
+        with httpx.Client(timeout=30) as client:
+            resp = client.request(method, url, headers=self._headers(), **kwargs)
+        if not resp.is_success:
+            detail = resp.text
+            try:
+                body = resp.json()
+                detail = body.get("detail", detail)
+            except Exception:
+                pass
+            raise ApiError(resp.status_code, detail)
+        if resp.status_code == 204:
+            return {}
+        return resp.json()
+
+    # Auth
+    def login(self, email: str, password: str) -> dict:
+        """Returns full login response (may include requires_2fa)."""
+        data = self._request("POST", "/auth/login", json={"email": email, "password": password})
+        if data.get("access_token"):
+            self.token = data["access_token"]
+        return data
+
+    def verify_2fa(self, two_fa_token: str, code: str) -> str:
+        data = self._request(
+            "POST", "/auth/2fa/verify",
+            json={"two_fa_token": two_fa_token, "code": code},
+        )
+        self.token = data["access_token"]
+        return data["access_token"]
+
+    def exchange_github_token(self, github_access_token: str) -> dict:
+        """Exchange a GitHub access token for a HideHub JWT."""
+        data = self._request(
+            "POST", "/auth/github/token",
+            json={"github_access_token": github_access_token},
+        )
+        if data.get("access_token"):
+            self.token = data["access_token"]
+        return data
+
+    def get_me(self) -> dict:
+        return self._request("GET", "/auth/me")
+
+    # Projects
+    def list_projects(self) -> list[dict]:
+        return self._request("GET", "/projects")["items"]
+
+    def create_project(self, name: str) -> dict:
+        return self._request("POST", "/projects", json={"name": name})
+
+    def get_project(self, project_id: str) -> dict:
+        return self._request("GET", f"/projects/{project_id}")
+
+    def find_project_by_name(self, name: str) -> dict | None:
+        projects = self.list_projects()
+        for p in projects:
+            if p["name"] == name:
+                return p
+        return None
+
+    # Secrets
+    def list_secrets(self, project_id: str) -> list[dict]:
+        return self._request("GET", f"/projects/{project_id}/secrets")["items"]
+
+    def get_secret(self, project_id: str, secret_id: str) -> dict:
+        return self._request("GET", f"/projects/{project_id}/secrets/{secret_id}")
+
+    def bulk_push(self, project_id: str, secrets: list[dict], force: bool = False) -> dict:
+        return self._request(
+            "POST",
+            f"/projects/{project_id}/secrets/bulk",
+            json={"secrets": secrets, "force": force},
+        )
+
+    def update_secret(
+        self, project_id: str, secret_id: str, encrypted_blob: str, keep_history: bool = True
+    ) -> dict:
+        return self._request(
+            "PUT",
+            f"/projects/{project_id}/secrets/{secret_id}",
+            json={"encrypted_blob": encrypted_blob, "keep_history": keep_history},
+        )

hidehub-0.1.0/hidehub_cli/cli.py

@@ -0,0 +1,39 @@
+"""HideHub CLI — Secure secret management from the command line."""
+
+import typer
+
+from hidehub_cli import __version__
+from hidehub_cli.commands.init import init
+from hidehub_cli.commands.push import push
+from hidehub_cli.commands.use import use
+from hidehub_cli.commands.run import run
+from hidehub_cli.commands.list import list_cmd
+from hidehub_cli.commands.rotate import rotate
+
+app = typer.Typer(
+    name="hidehub",
+    help="Secure secret management for developers. Never commit an API key again.",
+    no_args_is_help=True,
+)
+
+app.command("init")(init)
+app.command("push")(push)
+app.command("use")(use)
+app.command("run")(run)
+app.command("list")(list_cmd)
+app.command("rotate")(rotate)
+
+
+def version_callback(value: bool):
+    if value:
+        typer.echo(f"hidehub-cli {__version__}")
+        raise typer.Exit()
+
+
+@app.callback()
+def main(
+    version: bool = typer.Option(
+        None, "--version", "-V", callback=version_callback, is_eager=True, help="Show version"
+    ),
+):
+    """HideHub — Your secrets, your keys."""

hidehub-0.1.0/hidehub_cli/commands/__init__.py

@@ -0,0 +1 @@
+# CLI commands package

hidehub-0.1.0/hidehub_cli/commands/init.py

@@ -0,0 +1,175 @@
+"""hidehub init — Authenticate and save config."""
+
+from __future__ import annotations
+
+import getpass
+import time
+
+import httpx
+import typer
+
+from hidehub_cli.api_client import HideHubClient, ApiError
+from hidehub_cli.config import save_config, DEFAULT_SERVER
+
+app = typer.Typer()
+
+
+def _prompt_2fa(client: HideHubClient, two_fa_token: str) -> str:
+    """Prompt for a TOTP code (or backup code) and verify."""
+    typer.echo("\n🔐 Two-factor authentication required.")
+    code = typer.prompt("Enter your 2FA code")
+    try:
+        return client.verify_2fa(two_fa_token, code)
+    except ApiError as e:
+        typer.echo(f"✗ 2FA verification failed: {e.detail}", err=True)
+        raise typer.Exit(1)
+
+
+def _login_email(client: HideHubClient) -> str:
+    """Email/password login flow, returns access token."""
+    email = typer.prompt("Email")
+    password = getpass.getpass("Password: ")
+
+    try:
+        data = client.login(email, password)
+    except ApiError as e:
+        typer.echo(f"✗ Authentication failed: {e.detail}", err=True)
+        raise typer.Exit(1)
+
+    if data.get("requires_2fa"):
+        return _prompt_2fa(client, data["two_fa_token"])
+
+    return data["access_token"]
+
+
+def _login_github(client: HideHubClient, server: str) -> str:
+    """GitHub Device Flow login, returns access token."""
+    # We need the GitHub Client ID. Fetch it from the server's config endpoint
+    # or use the well-known HideHub GitHub OAuth App client ID.
+    # For device flow, we call GitHub directly with the client_id.
+    typer.echo("\n🔗 Starting GitHub Device Flow...")
+
+    # Step 1: Get the GitHub client_id from the server
+    # We'll request a device code from GitHub
+    github_client_id = _get_github_client_id(server)
+    if not github_client_id:
+        typer.echo("✗ GitHub OAuth is not configured on this server.", err=True)
+        raise typer.Exit(1)
+
+    # Step 2: Request device code
+    with httpx.Client(timeout=30) as http:
+        resp = http.post(
+            "https://github.com/login/oauth/device/code",
+            data={"client_id": github_client_id, "scope": "user:email"},
+            headers={"Accept": "application/json"},
+        )
+        if resp.status_code != 200:
+            typer.echo("✗ Failed to start GitHub device flow.", err=True)
+            raise typer.Exit(1)
+        device = resp.json()
+
+    user_code = device["user_code"]
+    verification_uri = device["verification_uri"]
+    device_code = device["device_code"]
+    interval = device.get("interval", 5)
+    expires_in = device.get("expires_in", 900)
+
+    typer.echo(f"\n  Open: {verification_uri}")
+    typer.echo(f"  Enter code: {user_code}\n")
+    typer.echo("Waiting for authorization...", nl=False)
+
+    # Step 3: Poll for access token
+    github_token = None
+    deadline = time.time() + expires_in
+
+    with httpx.Client(timeout=30) as http:
+        while time.time() < deadline:
+            time.sleep(interval)
+            typer.echo(".", nl=False)
+            resp = http.post(
+                "https://github.com/login/oauth/access_token",
+                data={
+                    "client_id": github_client_id,
+                    "device_code": device_code,
+                    "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                },
+                headers={"Accept": "application/json"},
+            )
+            body = resp.json()
+            error = body.get("error")
+            if error == "authorization_pending":
+                continue
+            elif error == "slow_down":
+                interval = body.get("interval", interval + 5)
+                continue
+            elif error == "expired_token":
+                typer.echo("\n✗ Device code expired. Please try again.", err=True)
+                raise typer.Exit(1)
+            elif error == "access_denied":
+                typer.echo("\n✗ Authorization denied.", err=True)
+                raise typer.Exit(1)
+            elif error:
+                typer.echo(f"\n✗ GitHub error: {error}", err=True)
+                raise typer.Exit(1)
+            else:
+                github_token = body.get("access_token")
+                break
+
+    typer.echo("")  # newline after dots
+
+    if not github_token:
+        typer.echo("✗ Failed to get GitHub access token.", err=True)
+        raise typer.Exit(1)
+
+    # Step 4: Exchange GitHub token for HideHub JWT
+    try:
+        data = client.exchange_github_token(github_token)
+    except ApiError as e:
+        typer.echo(f"✗ GitHub token exchange failed: {e.detail}", err=True)
+        raise typer.Exit(1)
+
+    if data.get("requires_2fa"):
+        return _prompt_2fa(client, data["two_fa_token"])
+
+    return data["access_token"]
+
+
+def _get_github_client_id(server: str) -> str | None:
+    """Fetch the GitHub client ID from the server's config endpoint."""
+    try:
+        with httpx.Client(timeout=10) as http:
+            resp = http.get(f"{server}/auth/github/client-id")
+            if resp.status_code == 200:
+                return resp.json().get("client_id")
+    except Exception:
+        pass
+    return None
+
+
+@app.command()
+def init(
+    server: str = typer.Option(DEFAULT_SERVER, "--server", "-s", help="Custom server URL"),
+    github: bool = typer.Option(False, "--github", "-g", help="Login with GitHub"),
+):
+    """Authenticate with HideHub and save your config."""
+    client = HideHubClient(server=server)
+
+    if not github:
+        # Ask which method
+        typer.echo("How would you like to sign in?")
+        typer.echo("  [1] Email & password")
+        typer.echo("  [2] GitHub")
+        choice = typer.prompt("Choose", default="1")
+        github = choice.strip() == "2"
+
+    if github:
+        token = _login_github(client, server)
+    else:
+        token = _login_email(client)
+
+    # Save config
+    me = client.get_me()
+    save_config({"server": server, "token": token, "email": me["email"]})
+
+    typer.echo(f"✓ Authenticated as {me['email']}")
+    typer.echo("✓ Config saved to ~/.hidehub/config.json")

hidehub-0.1.0/hidehub_cli/commands/list.py

@@ -0,0 +1,70 @@
+"""hidehub list — View projects and secrets."""
+
+from __future__ import annotations
+
+import getpass
+
+import typer
+
+from hidehub_cli.api_client import HideHubClient, ApiError
+from hidehub_cli.crypto import decrypt_secret
+
+app = typer.Typer()
+
+
+@app.command("list")
+def list_cmd(
+    project: str = typer.Option(None, "--project", "-p", help="Show secrets for a specific project"),
+    show_values: bool = typer.Option(False, "--show-values", help="Display decrypted values"),
+):
+    """View projects and their secrets."""
+    client = HideHubClient()
+
+    if not project:
+        # List projects
+        projects = client.list_projects()
+        if not projects:
+            typer.echo("No projects found. Run `hidehub push` to create one.")
+            return
+
+        typer.echo(f"{'PROJECT':<25} {'SECRETS':>8}   {'LAST UPDATED'}")
+        typer.echo("-" * 55)
+        for p in projects:
+            updated = p["updated_at"][:10] if p.get("updated_at") else "—"
+            typer.echo(f"{p['name']:<25} {p['secret_count']:>8}   {updated}")
+        return
+
+    # List secrets for a project
+    proj = client.find_project_by_name(project)
+    if not proj:
+        typer.echo(f"✗ Project '{project}' not found", err=True)
+        raise typer.Exit(1)
+
+    secrets = client.list_secrets(proj["id"])
+    if not secrets:
+        typer.echo(f"No secrets in project '{project}'.")
+        return
+
+    master_password = None
+    if show_values:
+        master_password = getpass.getpass("Master password: ")
+
+    typer.echo(f"\nProject: {project} ({len(secrets)} secrets)")
+    typer.echo("-" * 60)
+
+    if show_values:
+        typer.echo(f"{'KEY':<30} {'VALUE':<25} {'VERSION'}")
+        for s in secrets:
+            try:
+                full = client.get_secret(proj["id"], s["id"])
+                value = decrypt_secret(full["encrypted_blob"], master_password)
+                # Truncate long values
+                display = value[:22] + "..." if len(value) > 25 else value
+                typer.echo(f"{s['key_name']:<30} {display:<25} v{s['version']}")
+            except Exception:
+                typer.echo(f"{s['key_name']:<30} {'<decrypt failed>':<25} v{s['version']}")
+    else:
+        typer.echo(f"{'KEY':<30} {'VERSION':>8}   {'UPDATED'}")
+        for s in secrets:
+            updated = s["updated_at"][:10] if s.get("updated_at") else "—"
+            typer.echo(f"{s['key_name']:<30} {'v' + str(s['version']):>8}   {updated}")

hidehub-0.1.0/hidehub_cli/commands/push.py

@@ -0,0 +1,75 @@
+"""hidehub push — Encrypt and upload secrets from a .env file."""
+
+from __future__ import annotations
+
+import getpass
+import os
+
+import typer
+
+from hidehub_cli.api_client import HideHubClient, ApiError
+from hidehub_cli.crypto import encrypt_secret
+from hidehub_cli.env_parser import parse_env_file
+
+app = typer.Typer()
+
+
+@app.command()
+def push(
+    env_file: str = typer.Option(".env", "--env-file", "-f", help="Path to .env file"),
+    project: str = typer.Option(None, "--project", "-p", help="Project name (default: directory name)"),
+    clean: bool = typer.Option(False, "--clean", help="Delete local .env after upload"),
+    force: bool = typer.Option(False, "--force", help="Overwrite existing secrets"),
+):
+    """Encrypt and upload secrets from a .env file."""
+    if not os.path.exists(env_file):
+        typer.echo(f"✗ File not found: {env_file}", err=True)
+        raise typer.Exit(1)
+
+    if not project:
+        project = os.path.basename(os.getcwd())
+
+    master_password = getpass.getpass("Master password: ")
+
+    secrets = parse_env_file(env_file)
+    if not secrets:
+        typer.echo("✗ No valid key=value pairs found", err=True)
+        raise typer.Exit(1)
+
+    typer.echo(f"✓ Read {len(secrets)} secrets from {env_file}")
+
+    # Encrypt each secret
+    encrypted = []
+    for key, value in secrets.items():
+        encrypted.append({
+            "key_name": key,
+            "encrypted_blob": encrypt_secret(value, master_password),
+        })
+    typer.echo("✓ Encrypted with AES-256-GCM")
+
+    client = HideHubClient()
+
+    # Find or create project
+    proj = client.find_project_by_name(project)
+    if not proj:
+        try:
+            proj = client.create_project(project)
+            typer.echo(f"✓ Created project \"{project}\"")
+        except ApiError as e:
+            typer.echo(f"✗ Failed to create project: {e.detail}", err=True)
+            raise typer.Exit(1)
+
+    # Bulk push
+    try:
+        result = client.bulk_push(proj["id"], encrypted, force=force)
+        typer.echo(
+            f"✓ Uploaded to project \"{project}\" "
+            f"({result['created']} new, {result['updated']} updated)"
+        )
+    except ApiError as e:
+        typer.echo(f"✗ Upload failed: {e.detail}", err=True)
+        raise typer.Exit(1)
+
+    if clean:
+        os.remove(env_file)
+        typer.echo(f"✓ Local file deleted (--clean)")

hidehub-0.1.0/hidehub_cli/commands/rotate.py

@@ -0,0 +1,54 @@
+"""hidehub rotate — Update a secret's value with version history."""
+
+from __future__ import annotations
+
+import getpass
+
+import typer
+
+from hidehub_cli.api_client import HideHubClient, ApiError
+from hidehub_cli.crypto import encrypt_secret
+
+app = typer.Typer()
+
+
+@app.command()
+def rotate(
+    key_name: str = typer.Argument(help="Name of the secret to rotate"),
+    project: str = typer.Option(..., "--project", "-p", help="Project containing the secret"),
+    value: str = typer.Option(None, "--value", "-v", help="New value (prompted if omitted)"),
+    keep_history: bool = typer.Option(True, "--keep-history/--no-history", help="Keep old value in version history"),
+):
+    """Rotate a secret to a new value."""
+    master_password = getpass.getpass("Master password: ")
+
+    if not value:
+        value = getpass.getpass(f"Enter new value for {key_name}: ")
+        if not value:
+            typer.echo("✗ Value cannot be empty", err=True)
+            raise typer.Exit(1)
+
+    client = HideHubClient()
+
+    proj = client.find_project_by_name(project)
+    if not proj:
+        typer.echo(f"✗ Project '{project}' not found", err=True)
+        raise typer.Exit(1)
+
+    # Find secret by key name
+    secrets = client.list_secrets(proj["id"])
+    secret = next((s for s in secrets if s["key_name"] == key_name), None)
+    if not secret:
+        typer.echo(f"✗ Key '{key_name}' not found in project '{project}'", err=True)
+        raise typer.Exit(1)
+
+    encrypted = encrypt_secret(value, master_password)
+
+    try:
+        result = client.update_secret(proj["id"], secret["id"], encrypted, keep_history)
+        typer.echo(f"✓ Rotated {key_name}")
+        if keep_history:
+            typer.echo(f"✓ Previous value saved (version {result['version'] - 1})")
+    except ApiError as e:
+        typer.echo(f"✗ Rotation failed: {e.detail}", err=True)
+        raise typer.Exit(1)

hidehub-0.1.0/hidehub_cli/commands/run.py

@@ -0,0 +1,75 @@
+"""hidehub run — Inject secrets and run a command."""
+
+from __future__ import annotations
+
+import getpass
+import os
+import subprocess
+import sys
+
+import typer
+
+from hidehub_cli.api_client import HideHubClient, ApiError
+from hidehub_cli.crypto import decrypt_secret
+
+app = typer.Typer()
+
+
+@app.command(
+    context_settings={"allow_extra_args": True, "ignore_unknown_options": True},
+)
+def run(
+    ctx: typer.Context,
+    project: str = typer.Option(..., "--project", "-p", help="Project to load secrets from"),
+    env_file: str = typer.Option(None, "--env-file", "-f", help="Also load local .env (merged)"),
+    silent: bool = typer.Option(False, "--silent", "-s", help="Suppress HideHub output"),
+):
+    """Inject secrets and run a command.
+
+    Usage: hidehub run --project my-api -- npm start
+    """
+    command = ctx.args
+    if not command:
+        typer.echo("✗ No command specified. Usage: hidehub run --project NAME -- COMMAND", err=True)
+        raise typer.Exit(1)
+
+    master_password = getpass.getpass("Master password: ")
+    client = HideHubClient()
+
+    proj = client.find_project_by_name(project)
+    if not proj:
+        typer.echo(f"✗ Project '{project}' not found", err=True)
+        raise typer.Exit(1)
+
+    secrets = client.list_secrets(proj["id"])
+
+    # Build environment
+    env = os.environ.copy()
+
+    # Load local .env file first (lower priority)
+    if env_file and os.path.exists(env_file):
+        from hidehub_cli.env_parser import parse_env_file
+        local_secrets = parse_env_file(env_file)
+        env.update(local_secrets)
+
+    # Decrypt and inject HideHub secrets (higher priority)
+    loaded = 0
+    for s in secrets:
+        try:
+            full = client.get_secret(proj["id"], s["id"])
+            value = decrypt_secret(full["encrypted_blob"], master_password)
+            env[s["key_name"]] = value
+            loaded += 1
+        except Exception as e:
+            typer.echo(f"✗ Failed to decrypt {s['key_name']}: {e}", err=True)
+
+    if not silent:
+        typer.echo(f"[hidehub] Loaded {loaded} secrets for project \"{project}\"", err=True)
+
+    # Run the command
+    result = subprocess.run(command, env=env)
+
+    if not silent:
+        typer.echo("[hidehub] Cleaning up environment variables...", err=True)
+
+    raise typer.Exit(result.returncode)

hidehub-0.1.0/hidehub_cli/commands/use.py

@@ -0,0 +1,94 @@
+"""hidehub use — Interactive secret picker, outputs export statements."""
+
+from __future__ import annotations
+
+import getpass
+import sys
+
+import typer
+
+from hidehub_cli.api_client import HideHubClient, ApiError
+from hidehub_cli.crypto import decrypt_secret
+
+app = typer.Typer()
+
+
+def _pick_from_list(prompt: str, items: list[dict], name_key: str) -> dict | None:
+    """Simple numbered list picker for terminals without questionary."""
+    if not items:
+        return None
+    typer.echo(f"\n{prompt}")
+    for i, item in enumerate(items, 1):
+        typer.echo(f"  {i}. {item[name_key]}")
+    while True:
+        choice = typer.prompt("Select", default="1")
+        try:
+            idx = int(choice) - 1
+            if 0 <= idx < len(items):
+                return items[idx]
+        except ValueError:
+            pass
+        typer.echo("Invalid choice, try again.")
+
+
+@app.command()
+def use(
+    project: str = typer.Option(None, "--project", "-p", help="Project name"),
+    key: str = typer.Option(None, "--key", "-k", help="Specific key to load"),
+    export: bool = typer.Option(False, "--export", help="Output as export statements"),
+):
+    """Load secrets into your environment."""
+    master_password = getpass.getpass("Master password: ")
+    client = HideHubClient()
+
+    # Select project
+    if project:
+        proj = client.find_project_by_name(project)
+        if not proj:
+            typer.echo(f"✗ Project '{project}' not found", err=True)
+            raise typer.Exit(1)
+    else:
+        projects = client.list_projects()
+        if not projects:
+            typer.echo("✗ No projects found. Run `hidehub push` first.", err=True)
+            raise typer.Exit(1)
+        proj = _pick_from_list("Select project:", projects, "name")
+        if not proj:
+            raise typer.Exit(1)
+
+    # Get secrets
+    secrets = client.list_secrets(proj["id"])
+    if not secrets:
+        typer.echo(f"✗ No secrets in project '{proj['name']}'", err=True)
+        raise typer.Exit(1)
+
+    # Filter by key if specified
+    if key:
+        secrets = [s for s in secrets if s["key_name"] == key]
+        if not secrets:
+            typer.echo(f"✗ Key '{key}' not found in project '{proj['name']}'", err=True)
+            raise typer.Exit(1)
+
+    # Decrypt and output
+    loaded = 0
+    for s in secrets:
+        try:
+            full = client.get_secret(proj["id"], s["id"])
+            value = decrypt_secret(full["encrypted_blob"], master_password)
+            if export:
+                # Output for eval: eval "$(hidehub use --export)"
+                sys.stdout.write(f"export {s['key_name']}={_shell_escape(value)}\n")
+            loaded += 1
+        except Exception as e:
+            typer.echo(f"✗ Failed to decrypt {s['key_name']}: {e}", err=True)
+
+    if not export:
+        typer.echo(f"✓ Loaded {loaded} secrets from project \"{proj['name']}\"")
+
+
+def _shell_escape(value: str) -> str:
+    """Escape a value for safe shell export."""
+    if not value or any(c in value for c in " \t\n'\"\\$`!#&|;(){}"):
+        escaped = value.replace("'", "'\\''")
+        return f"'{escaped}'"
+    return value

hidehub-0.1.0/hidehub_cli/config.py

@@ -0,0 +1,40 @@
+"""Manages ~/.hidehub/config.json for auth and server settings."""
+
+import json
+import os
+from pathlib import Path
+
+CONFIG_DIR = Path.home() / ".hidehub"
+CONFIG_FILE = CONFIG_DIR / "config.json"
+
+DEFAULT_SERVER = "https://hidehub.com/api"
+
+
+def _ensure_dir() -> None:
+    CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+
+
+def load_config() -> dict:
+    if not CONFIG_FILE.exists():
+        return {}
+    return json.loads(CONFIG_FILE.read_text())
+
+
+def save_config(config: dict) -> None:
+    _ensure_dir()
+    CONFIG_FILE.write_text(json.dumps(config, indent=2) + "\n")
+    # Restrict permissions
+    os.chmod(CONFIG_FILE, 0o600)
+
+
+def get_server() -> str:
+    return load_config().get("server", DEFAULT_SERVER)
+
+
+def get_token() -> str | None:
+    return load_config().get("token")
+
+
+def get_api_key() -> str | None:
+    """Check HIDEHUB_API_KEY env var for headless/CI auth."""
+    return os.environ.get("HIDEHUB_API_KEY")

hidehub-0.1.0/hidehub_cli/crypto.py

@@ -0,0 +1,123 @@
+"""V1 encryption compatible with frontend crypto.ts.
+
+Scheme: PBKDF2-SHA256 (600k iter) → HKDF → AES-256-GCM + HMAC-SHA256
+Output: JSON string {v, salt, iv, ct, tag, hmac, algorithm, kdf}
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import hmac as hmac_mod
+import json
+import os
+from typing import Any
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives import hashes
+
+V1_ITERATIONS = 600_000
+V1_SALT_BYTES = 32
+V1_IV_BYTES = 12
+
+
+def _b64(data: bytes) -> str:
+    return base64.b64encode(data).decode()
+
+
+def _unb64(s: str) -> bytes:
+    return base64.b64decode(s)
+
+
+def _derive_keys(password: str, salt: bytes) -> tuple[bytes, bytes]:
+    """Derive encryption key and HMAC key from password + salt.
+
+    Matches frontend deriveKeysV1() exactly:
+      1. PBKDF2-SHA256, 600k iterations → 32-byte master key
+      2. HKDF-SHA256 with info="encryption" → 32-byte enc key
+      3. HKDF-SHA256 with info="hmac" → 32-byte hmac key
+    """
+    # PBKDF2
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=V1_ITERATIONS,
+    )
+    master_key = kdf.derive(password.encode())
+
+    # HKDF → encryption key
+    hkdf_enc = HKDF(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=b"",  # empty salt, matching frontend
+        info=b"encryption",
+    )
+    enc_key = hkdf_enc.derive(master_key)
+
+    # HKDF → HMAC key
+    hkdf_hmac = HKDF(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=b"",
+        info=b"hmac",
+    )
+    hmac_key = hkdf_hmac.derive(master_key)
+
+    return enc_key, hmac_key
+
+
+def encrypt_secret(plaintext: str, password: str) -> str:
+    """Encrypt a secret value. Returns JSON string compatible with frontend."""
+    salt = os.urandom(V1_SALT_BYTES)
+    iv = os.urandom(V1_IV_BYTES)
+    enc_key, hmac_key = _derive_keys(password, salt)
+
+    # AES-256-GCM
+    aesgcm = AESGCM(enc_key)
+    # AESGCM.encrypt returns ciphertext + 16-byte tag appended
+    ct_with_tag = aesgcm.encrypt(iv, plaintext.encode(), None)
+    ct = ct_with_tag[:-16]
+    tag = ct_with_tag[-16:]
+
+    # HMAC-SHA256 over ciphertext
+    hmac_sig = hmac_mod.new(hmac_key, ct, hashlib.sha256).digest()
+
+    blob: dict[str, Any] = {
+        "v": 1,
+        "salt": _b64(salt),
+        "iv": _b64(iv),
+        "ct": _b64(ct),
+        "tag": _b64(tag),
+        "hmac": _b64(hmac_sig),
+        "algorithm": "AES-256-GCM",
+        "kdf": "PBKDF2-SHA256-600k+HKDF",
+    }
+    return json.dumps(blob)
+
+
+def decrypt_secret(encrypted_json: str, password: str) -> str:
+    """Decrypt a v1 encrypted secret."""
+    blob = json.loads(encrypted_json)
+    if blob.get("v") != 1:
+        raise ValueError(f"Unsupported encryption version: {blob.get('v')}")
+
+    salt = _unb64(blob["salt"])
+    iv = _unb64(blob["iv"])
+    ct = _unb64(blob["ct"])
+    tag = _unb64(blob["tag"])
+    hmac_expected = _unb64(blob["hmac"])
+
+    enc_key, hmac_key = _derive_keys(password, salt)
+
+    # Verify HMAC
+    hmac_actual = hmac_mod.new(hmac_key, ct, hashlib.sha256).digest()
+    if not hmac_mod.compare_digest(hmac_actual, hmac_expected):
+        raise ValueError("HMAC verification failed — data may be corrupted or wrong password")
+
+    # Decrypt
+    aesgcm = AESGCM(enc_key)
+    plaintext = aesgcm.decrypt(iv, ct + tag, None)
+    return plaintext.decode()

hidehub-0.1.0/hidehub_cli/env_parser.py

@@ -0,0 +1,38 @@
+"""Parse .env files into key=value dicts."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+
+def parse_env_file(path: str | Path) -> dict[str, str]:
+    """Parse a .env file into a dict of key-value pairs.
+
+    Handles:
+    - Blank lines and comments (lines starting with #)
+    - Quoted values (single and double quotes)
+    - Inline comments after values
+    """
+    result: dict[str, str] = {}
+    text = Path(path).read_text()
+
+    for line in text.splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+
+        idx = line.find("=")
+        if idx == -1:
+            continue
+
+        key = line[:idx].strip()
+        value = line[idx + 1 :].strip()
+
+        # Remove surrounding quotes
+        if len(value) >= 2 and value[0] == value[-1] and value[0] in ('"', "'"):
+            value = value[1:-1]
+
+        if key:
+            result[key] = value
+
+    return result

hidehub-0.1.0/pyproject.toml

@@ -0,0 +1,41 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "hidehub"
+version = "0.1.0"
+description = "Secure secret management for developers — zero-knowledge .env vault"
+readme = "README.md"
+requires-python = ">=3.10"
+license = {text = "MIT"}
+authors = [{name = "HideHub"}]
+keywords = ["secrets", "environment-variables", "dotenv", "encryption", "security", "cli"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries",
+]
+dependencies = [
+    "typer>=0.12.0",
+    "httpx>=0.27.0",
+    "cryptography>=43.0.0",
+]
+
+[project.urls]
+Homepage = "https://hidehub.com"
+Documentation = "https://hidehub.com/docs"
+Repository = "https://github.com/marcus20232023/hidehub_claude"
+
+[project.scripts]
+hidehub = "hidehub_cli.cli:app"
+
+[tool.setuptools.packages.find]
+include = ["hidehub_cli*"]

hidehub-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+