Package Exports
- @vasudevshetty/safekey
- @vasudevshetty/safekey/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@vasudevshetty/safekey) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
π‘οΈ SafeKey: Secure Secrets Manager CLI
SafeKey is an offline-first, developer-friendly secrets manager CLI. Built in TypeScript, it supports advanced encryption, config injection, and a powerful extensible architecture. It is inspired by the Go-based prototype, but enhanced with modern Node.js and developer tooling.
Think of it as the "Vault meets Dotenv" β with CLI, TUI, and Web Dashboard phases.
β 1. Product Design Philosophy
π¦ CLI (Must-Have β Phase 1)
- Why: Devs and DevOps engineers love fast, scriptable tools.
- Built With: TypeScript +
commander.js(oroclif) + ESM support. - Usage:
safekey init,safekey add <key>,safekey get <key>,safekey inject
π₯οΈ TUI (Nice-to-Have β Phase 2)
- Why: Friendly dashboard for non-terminal folks.
- Built With:
Ink(React-like CLI UIs). - Features: Browse vault, edit secrets, copy to clipboard.
π Web Dashboard (Optional β Phase 3+)
- Why: Visualize vault, sync across systems.
- Built With:
Next.js 15,TailwindCSS,shadcn/ui, and optionally wrapped in Electron.
𧱠2. Architecture Overview (Clean + Scalable)
safekey/
βββ bin/ # CLI entry (compiled JS files here)
βββ src/
β βββ cli/ # CLI commands
β β βββ init.ts
β β βββ add.ts
β β βββ get.ts
β β βββ inject.ts
β β βββ utils.ts
β βββ tui/ # Ink-based terminal UI (optional)
β β βββ App.tsx
β βββ core/ # Vault + secrets management
β β βββ index.ts
β β βββ vault.ts
β β βββ secrets.ts
β β βββ store.ts
β βββ crypto/ # AES/GPG encryption utilities
β β βββ aes.ts
β β βββ gpg.ts
β β βββ utils.ts
β βββ config/ # User config profiles
β β βββ config.ts
β βββ index.ts # Main CLI entrypoint
βββ tests/
β βββ vault.test.ts
βββ package.json
βββ tsconfig.json
βββ README.mdβοΈ 3. Tech Stack & Tools
| Area | Stack/Library | Reason |
|---|---|---|
| CLI Framework | commander.js or oclif |
Structured CLI with help docs |
| Module Format | type: module (ESM) + .mts files |
Future-proof, cleaner syntax |
| Packaging | pkg, nexe, or esbuild |
Create native binaries |
| TUI | Ink, React, ink-select-input |
Interactive terminal UI |
| Encryption | Node.js crypto module |
AES-256-GCM, secure randoms |
| File Ops | fs/promises, path, os |
Vault I/O and config loading |
| Config Store | conf, cosmiconfig, or custom JSON |
Persistent config management |
| Formats Supported | JSON, YAML, TOML via js-yaml |
Interop and export/import |
| Secrets Injection | dotenv, child_process, .env |
Auto inject to env or command |
| Web UI | Next.js 15, Tailwind, shadcn/ui |
Web management panel |
| State Mgmt (Web) | Zustand, Redux |
Web vault syncing |
| Testing | vitest, jest |
Unit + integration tests |
| Linting & Format | eslint, prettier |
Dev quality & consistency |
| Security Audits | snyk, npm audit, node-sec-check |
Safe dep check |
π 4. Feature Roadmap (By Phase)
π Phase 1: CLI Core MVP
safekey initβ initializes an AES-256 encrypted vault (JSON-backed).safekey add <key>/get <key>/rm <key>β CRUD secrets.safekey listβ view all keys.safekey export/importβ move vault across machines..envgenerator from stored secrets.~/.safekeyrc.jsonfor config profiles.- AES-GCM for confidentiality + integrity.
- Versioning support for vault entries.
π₯οΈ Phase 2: Optional TUI
- Ink-based terminal interface with panels and navigation.
- Display secrets, profiles, and vault metadata.
- Copy to clipboard, toggle reveal/hide secrets.
π Phase 3: Inject Secrets into Shell/Commands
safekey inject -- <cmd>:- Inject stored secrets as env vars.
- Automatically wrap any
npm run,python, etc. - Output
.envfile or execute inline with process.env.
π Phase 4: Vault Sync & GitOps (Optional)
safekey push: Encrypt + commit vault to Git repo (GPG/AES).safekey pull: Decrypt remote vault + restore.- GitHub/GitLab integration for secrets-as-code workflows.
π§βπ» Phase 5: Web Dashboard
- Built with Next.js 15 + Tailwind CSS + Zustand.
- View/edit vault from local or synced file.
- Optional: Electron desktop wrapper.
- Secure local access with vault password (no cloud).
π 5. Modular Folder Structure (Scalable)
Everything is TypeScript + ESM (
type: moduleinpackage.json).
safekey/
βββ bin/ β Compiled binaries
βββ src/
β βββ cli/ β All command line logic
β βββ core/ β Vault core encryption logic
β βββ crypto/ β AES + GPG handling
β βββ tui/ β Optional Ink-based terminal UI
β βββ config/ β Profile & vault config parsing
β βββ index.ts β Entrypoint
βββ tests/ β Unit + integration tests
βββ package.json β Scripts + dependencies
βββ tsconfig.json β ESM + strict TS options
βββ README.mdπ 6. Skills Youβll Master Along the Way
| Area | Skills |
|---|---|
| TypeScript | Advanced types, module systems (ESM) |
| CLI Dev | Commander/Oclif, Ink (TUI) |
| Cryptography | AES, GPG, nonce, IV, secure randomness |
| File Systems | Cross-platform, os.homedir(), etc. |
| Testing | vitest, mocking fs, vault logic |
| Config Mgmt | JSON schemas, validation, profiles |
| Web Dev (Later) | TailwindCSS, Zustand, UI UX |
| Security | Permissions, vault integrity checks |
| DevOps Ready | NPM packaging, CLI release, CI/CD |
| OSS Publishing | GitHub actions, releases, README |
π§ Next Steps to Start:
- π§ Setup basic ESM Node.js CLI (
commander.js+tsconfig.json) - π Implement
vault.tsusing AES-GCM encryption - πΎ Add file storage support (versioned JSON in
~/.safekey-vault.json) - β
Build core commands:
init,add,get,list - π§ͺ Add unit tests with
vitest - π₯οΈ (Optional): Start building
TUIin Ink after CLI is stable - π Package with
pkgornexe, publish to GitHub/NPM
Let me know when youβre ready to build the first file!