Skip to content

README.md

Latest commit

 

History

History
302 lines (210 loc) · 16.7 KB

README.md

File metadata and controls

302 lines (210 loc) · 16.7 KB


Capy



Like git, built for secrets.

Install · Quickstart · Documentation · Changelog · Issues

CI tests npm Node License

Capy is a secrets toolchain with git-style primitives — branch, sync, deploy, revoke — end-to-end encrypted on your machine and fully revocable for humans and agents. Your .env becomes versioned state your team can commit, roll back, and offboard without rotating a single key.

Compare Capy to Doppler, Infisical, dotenvx, AWS Secrets Manager, and SOPS.

Install

Capy in its most basic form is just a CLI: no lengthy signup, account setup, or SDK to import.

npm install -g @capysc/cli

Or with Bun:

bun add -g @capysc/cli

Or with Homebrew:

brew install capysc/tap/capy

Quickstart

capy                              # sync secrets
capy edit                         # inspect & edit secrets in a TUI
capy invite rachael@tyrell.com    # add a teammate
capy kick roy@tyrell.com          # remove a teammate
capy run -- npm run dev           # run with decrypted secrets
capy deploy                       # ship to prod

That's the whole loop. Edit a secret, run capy, see this guy, redeploy.

Capy CLI welcome banner showing project, organization, branch, and a capybara

Why Use Capy

  • We hold ciphertext. You hold keys. A subpoena gets us nothing. Our service stores membership records and ciphertext. We don't hold your master key, your project keys, or any plaintext. Compromise of our service OR your local values yields nothing useful.
  • Revocation is cryptographic, not a database flag. capy kick makes the kicked user's local key.enc cryptographically inert. Remaining members keep using the same keys; no rotation cascade.
  • Your code stays vanilla process.env. No SDK to import, no daemon to run, no dashboard to maintain. capy run injects decrypted values into Node, Python, Go, Ruby, or any process that reads env vars.
  • Branches that match git. Capy runs alongside git with its own branches and a committed keep.lock manifest. Each git branch pins to a Capy branch, so secrets travel with your code.
  • Source-available CLI. AGPL-3.0. Code is auditable on GitHub. (What AGPL means for your team in practice.)

How it works

Capy is a zero-trust secrets manager: we start by encrypting your .env on your machine. The encrypted secrets then sync to our service, and your team decrypts them on their own machines. We never see plaintext at any point.

Two-share zero-trust model

Decryption is a two-party operation: our service strips the outer wrap of your key.enc, your machine strips the inner. Neither side has both keys.

For the full threat model, see docs.capy.sc/internals/zero-trust. For the cryptographic constructions, see docs.capy.sc/internals/cryptography.

Encrypt at source

Most secrets managers encrypt at rest on their servers. Capy is one of the few that encrypts at source. Every value in your .env is ciphertext on your machine before any of it crosses the wire, making Capy a uniquely zero-trust, end-to-end secrets control system built for humans and agents alike.

A .env file viewed in vi, with every value as a capy:resourceId:ciphertext snippet

Each value is a capy:{resourceId}:{ciphertext} snippet only your team can decrypt, but with just enough characters surrounding the ciphertext for you to identify the items. Plaintext only exists in process memory while capy run has your app spawned.

Editing secrets

Two ways to change a value. Both end up encrypted and synced — pick whichever fits the moment.

Edit .env in place

Open .env in your editor and overwrite a capy:... snippet with the new plaintext value. The next capy sync re-encrypts whatever changed and updates keep.lock.

.env opened in vi with JWT_SECRET being edited in place alongside other capy:resourceId:ciphertext snippets

Good when you're already in your editor, pasting a new key from a dashboard, or scripting a bulk change.

Edit through the TUI (capy edit)

capy edit opens an interactive table of every variable on the current branch with sync status, drift, and conflicts visible at a glance. Reveal a value with r, edit with e, navigate with ↑↓, quit with q.

capy edit TUI showing a table of variables with sync status and a JWT_SECRET detail panel

Good when you want to see drift across the whole branch, edit one variable without touching the file, or check what's in sync before a deploy.

Commands

Command Description
capy Sync secrets. Initializes on first run.
capy run -- <cmd> Run a command with decrypted secrets injected.
capy edit Inspect and edit secrets in an interactive TUI.
capy status Show drift between local, pinned, and remote.
capy push Push local changes without pulling.
capy lock Lock the local key so the passphrase is required next time.
capy deploy Generate a deploy token and walk through platform setup.
capy connect <provider> Pull a credential from a provider into .env.
capy rotate [var] Rotate a managed credential.
capy invite <email> Invite a teammate.
capy redeem <code> Redeem an invite code.
capy transport Move your account to another machine.
capy kick <email> Remove a teammate.
capy users Interactive member management.
capy org List or switch organizations.
capy branch List or switch branches.
capy checkout <branch> Switch branches. -b to create.
capy grant-branch Grant access to a protected branch.
capy revoke-branch Revoke branch access.
capy recover Restore access from your recovery phrase.
capy end-recover End a recovery session.
capy decrypt Decrypt secrets offline (owner only).
capy use <profile> Switch between configured profiles.
capy profile Manage CLI profiles.
capy byoc [url] Connect to a self-hosted Capy instance.
capy info Show current session info.
capy logout Clear local session.
capy cleanup Remove git hooks and local state.

Syncing

capy is a three-way diff between your local .env, the last pinned snapshot in keep.lock, and the latest on the service. Conflicts open an interactive resolver. See docs.capy.sc/using/syncing-secrets.

Running your app

capy run -- <cmd> decrypts .env in memory and spawns your command with the values set as environment variables. Works in any runtime that reads env vars. See docs.capy.sc/using/running-your-app.

Deploying

capy deploy walks through Vercel, Cloudflare, Docker, Fly, Railway, Render, Heroku, GitHub Actions, and AWS Lambda. See docs.capy.sc/using/deploying.

Team

capy invite <email> to add a teammate; capy kick <email> to remove one. Invite codes travel out-of-band; kicks are O(1) with no key rotation. See docs.capy.sc/using/team/inviting.

Branches

Capy is a version control system for secrets that runs alongside git. You commit code, you sync secrets. Both have branches, both have a committed manifest (.git/, keep.lock), both pull and push to a remote. The difference: git's remote sees your code, Capy's remote only sees ciphertext.

A Capy branch is to your secrets what a git branch is to your code: a parallel state with its own values and its own access list. Switching branches changes which values capy run injects. As an example setup, you might keep a development branch open to every member while gating a production branch to only admins.

Because Capy branches are independent of git branches, each git branch pins to a Capy branch via the committed keep.lock file. Branch names are yours to choose, just like in git: a common pattern is sharing one shared dev branch across feature work and pinning release-* git branches to a separate staging or production branch.

For the full state model and protected-branch role enforcement, see docs.capy.sc/using/branches/overview.

FAQ

What is zero trust?

Zero-trust is a cryptographic property: an attacker who fully compromises our service still can't decrypt your secrets, because every decryption requires a key share that lives only on your machine. Capy isn't asking you to trust us; the architecture ensures that compromising our service alone yields only ciphertext.

What if I lose my seed phrase?

If you're the org owner and you lose the seed phrase with no other device holding key.enc, you lose access to that org. Capy can't help; it's zero-trust by design, so recovery would require us to hold something we intentionally don't. Back the seed phrase up when it's shown (password manager, physical note in a safe).

How do I migrate from plain dotenv?

Run capy in a project that already has a .env. On first run, Capy treats your .env as authoritative, encrypts every value, uploads the ciphertext, and rewrites .env in place with capy:... snippets. A backup of your original .env is written to .env.pre-capy.old (gitignored).

Does it work offline?

The first sync needs network for authentication and key co-decrypt, but after that, capy run works offline against the local cache at ~/.capy/. You can develop on a plane; you just can't pick up changes other teammates pushed.

How fast does `capy kick` propagate?

Immediately. On the kicked user's next request, the service refuses to strip the outer wrap; their key.enc becomes cryptographically inert on disk. The master key never rotates because remaining members can keep using it.

Does this meet SOC 2 / GDPR requirements?

SOC 2 audit is in progress. GDPR-compliant. Trust posture and ongoing reports at trust.capy.sc.

What does Capy cost?

Free for individuals and small teams. Paid plans for orgs that need higher quotas, more projects, or more members.

Does it support SSO?

Yes. Configure your identity provider (Okta, Azure AD, Google Workspace, etc.) when creating your organization and your team authenticates via the same provider as the rest of your stack.

Can I self-host?

Not currently. The service component is closed. If self-hosting matters for your compliance posture, get in touch.

What if capy.sc goes down?

capy run keeps working from the local cache, so your running apps don't break. New syncs pause until the service comes back.

Does it work in CI?

Yes. capy deploy generates SECRETS_BLOB and PROJECT_KEY to set as CI env vars; capy run in your build/test step does the rest. See the GitHub Actions guide at docs.capy.sc/using/deploying/github-actions.

Supply chain

Capy ships with five runtime dependencies. Each is a load-bearing piece of the CLI; nothing is included for convenience or to save a few lines of code. A small dependency footprint keeps the supply-chain attack surface tight.

Dependency Purpose Status
commander CLI argument parsing ✓ no known vulnerabilities
dotenv .env file parsing ✓ no known vulnerabilities
inquirer Interactive prompts ✓ no known vulnerabilities
open OAuth browser launch ✓ no known vulnerabilities
proper-lockfile Atomic file locking ✓ no known vulnerabilities

Live audit status and the full transitive dep tree: github.com/capysc/capy-cli/network/dependencies.

Dependabot keeps dependencies current — see .github/dependabot.yml. It opens weekly PRs for npm and github-actions, with dev dependencies grouped into a single PR per ecosystem.

Security

Don't file public GitHub issues or discussions for security vulnerabilities. Those channels are public.

Capy takes security issues seriously. If you've found a vulnerability, email security@capy.sc with a description and ideally a way to reproduce it. We'll respond as soon as possible.

This address is for undisclosed vulnerabilities only. Please report security problems to us before disclosing them publicly.

Contributing

You can fork this repo and create pull requests:

github.com/capysc/capy-cli - bugs and discussions

License

AGPL-3.0-only. Copyright © Incentv Technologies Inc.

See LICENSE for the full text. For what AGPL means for your team in practice — when it imposes obligations and when it doesn't — see docs.capy.sc/using/license.