ww 1.0.0

A Doppler-like secret manager built on ScyllaDB, with a background daemon and a CLI for injecting environment variables into processes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

# ww — Scylla‑backed secrets daemon + CLI

`ww` is a **Doppler‑like secret manager** built on [ScyllaDB](https://www.scylladb.com/). It runs a background daemon that talks to Scylla and exposes project secrets over a local **Unix socket**. The companion **CLI** can inject environment variables into commands, download them in multiple formats, or update individual keys.

---

## ✨ Features

- 🔑 Store project secrets in ScyllaDB (`map<text,text>` column)
- 📡 Local daemon with Unix socket protocol
- 🛠 CLI with familiar commands: `run`, `secrets`, `set-env`, `client`
- 🌐 Path‑to‑project bindings (`~/.config/ww/config.toml`)
- 📄 Export secrets as `.env`, JSON, or YAML
- 🔒 Socket permissions default to `0600`

---

## 🚀 Quick Start

### 1. Start the daemon

```bash
ww serve --node 127.0.0.1:9042 --user cassandra --pass cassandra
```

### 2. Bind your repo to a project

```bash
cd /path/to/repo
ww client setup my_project
```

### 3. Set a secret

```bash
ww set-env --name API_KEY --val abc123
```

### 4. Run your app with secrets injected

```bash
ww node app.js
```

---

## 🔧 CLI Overview

```text
USAGE:
    ww <COMMAND>

COMMANDS:
    serve       Start the daemon server
    run         Run a command with env vars injected
    secrets     Download or read secrets
    set-env     Upsert a single secret
    client      Manage global client config
```

### Examples

- **Show current project resolution**:

  ```bash
  ww client which
  ```

- **Download secrets to `.env` file**:

  ```bash
  ww secrets download --format env --output .env
  ```

- **Fetch a single secret**:

  ```bash
  ww secrets get --name API_KEY --plain
  ```

- **Run any command, injecting resolved project secrets**:

  ```bash
  ww npm run dev
  ```

---

## ⚙️ Client Config

Location: `~/.config/ww/config.toml`

```toml
default_project = "demo_project"

[[paths]]
dir = "/abs/path/to/repo"
project = "my_project"
```

Resolution order:

1. `--project` flag (explicit)
2. `WW_PROJECT` environment variable
3. Path binding from config
4. `default_project`

---

## 📡 Socket Protocol

The daemon speaks a simple line protocol over a Unix socket:

- `QUERY_PROJECTS:<project>\n``KEY=VALUE\n...`
- `ENSURE_PROJECT:<project>\n``OK\n` or `ERROR:...`
- `SET_ENV:<project>:<key>=<value>\n``OK\n` or `ERROR:...`

Socket path defaults to `/tmp/ww.sock`.

---

## 🔐 Security Notes

- Socket is `0600` (owner read/write only)
- Assumes local single‑user trust; no encryption/auth on socket
- Use `--plain` only when piping into secure sinks

---

## 🛠 Development

### Build

```bash
cargo build --release
```

### Test

```bash
cargo test
```

### Install locally

```bash
cargo install --path .
```

---

## 📜 License

Licensed under [MIT](LICENSE).