v0.5.3: per-key timestamps, murk scan, exec --only/--clean-env, quick-start guide

.github/workflows/dependabot-automerge.yaml

@@ -2,14 +2,15 @@ name: Dependabot auto-merge
 
 on: pull_request
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   auto-merge:
     if: github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Fetch Dependabot metadata
         id: meta

.github/workflows/node.yaml

@@ -25,7 +25,7 @@ jobs:
       - name: Lint
         working-directory: node
         run: |
-          npm install
+          npm ci
           npx biome check
 
   test:
@@ -45,7 +45,7 @@ jobs:
       - name: Install and test
         working-directory: node
         run: |
-          npm install
+          npm ci
           npx napi build --platform --release
           node __test__/index.test.mjs
 
@@ -89,7 +89,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: node
-        run: npm install
+        run: npm ci
 
       - name: Build (native)
         if: ${{ !matrix.settings.docker }}
@@ -142,7 +142,7 @@ jobs:
       - name: Publish
         working-directory: node
         run: |
-          npm install
+          npm ci
           npx napi prepublish -t npm --skip-gh-release
           npm publish --access public --provenance
         env:

Cargo.toml

@@ -42,6 +42,7 @@ tempfile = "3.27.0"
 clap_complete = "4.6.0"
 fs2 = "0.4.3"
 pyo3 = { version = "0.28", features = ["extension-module"], optional = true }
+walkdir = "2.5.0"
 
 [target.'cfg(unix)'.dependencies]
 libc = "0.2"

README.md

@@ -203,14 +203,15 @@ murk restore
 | `murk edit [KEY] [--scoped]` | Edit secrets in `$EDITOR` |
 | `murk ls` | List key names |
 | `murk export` | Print all secrets as shell exports |
-| `murk exec CMD...` | Run a command with secrets in the environment |
+| `murk exec CMD...` | Run a command with secrets in the environment (`--only`, `--clean-env`) |
 | `murk diff [REF]` | Show secret changes since a git ref |
 | `murk import [FILE]` | Import secrets from a .env file |
 | `murk describe KEY "..."` | Set description for a key |
 | `murk info` | Show public schema (no key required) |
 | `murk circle` | List recipients |
 | `murk circle authorize PUBKEY [--name NAME]` | Add a recipient (age key, `ssh:path`, or `github:user`) |
 | `murk circle revoke RECIPIENT` | Remove a recipient |
+| `murk scan [PATHS...]` | Scan files for leaked secret values |
 | `murk skeleton` | Export schema-only vault with no secrets or recipients |
 | `murk restore` | Recover key from BIP39 phrase |
 | `murk recover` | Show recovery phrase for current key |

docs/quick-start.md

@@ -0,0 +1,69 @@
+# Quick start for teammates
+
+You've been invited to a project that uses murk for secrets. Here's how to get set up.
+
+## 1. Install murk
+
+```bash
+brew tap iicky/murk && brew install murk
+```
+
+Or: `cargo install murk-cli`, `pip install murk`, or download from [GitHub Releases](https://github.com/iicky/murk/releases).
+
+## 2. Generate your key
+
+```bash
+murk init
+```
+
+This creates your keypair and prints 24 recovery words. **Write them down.** If you lose your key, these words are the only way to recover it.
+
+Your key is stored in `~/.config/murk/keys/`, not in the repo.
+
+## 3. Share your public key
+
+```bash
+murk recover
+```
+
+Wait — that's for recovery. To get your public key for authorization:
+
+```bash
+cat ~/.config/murk/keys/*.pub 2>/dev/null || murk info 2>/dev/null
+```
+
+Actually, the easiest path: ask the team lead to run:
+
+```bash
+murk circle authorize github:YOUR_USERNAME
+```
+
+This fetches your SSH public keys from GitHub and adds you to the vault. No manual key exchange needed.
+
+## 4. Pull and use secrets
+
+Once authorized:
+
+```bash
+git pull                    # get the updated .murk file
+murk ls                     # see what secrets are available
+murk get DATABASE_URL       # print one secret
+murk export                 # print all as shell exports
+murk exec -- ./my-script.sh # run a command with secrets in env
+```
+
+## 5. Set up direnv (optional)
+
+```bash
+murk env
+direnv allow
+```
+
+Now secrets are automatically loaded when you `cd` into the project.
+
+## What to know
+
+- **Key names are public.** Anyone with repo access can see what secrets exist (e.g. `STRIPE_KEY`). Only values are encrypted.
+- **Your key is your identity.** Don't share it. Don't paste it into chat. Don't commit it.
+- **Recovery phrase = your key.** If someone has your 24 words, they have your key.
+- **Revocation doesn't erase history.** If you leave the team, your access to old git history remains. The team should rotate secrets after revoking you.

src/export.rs

@@ -215,6 +215,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 
@@ -235,6 +236,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 
@@ -257,6 +259,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec!["db".into()],
+                ..Default::default()
             },
         );
         vault.schema.insert(
@@ -265,6 +268,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec!["api".into()],
+                ..Default::default()
             },
         );
 
@@ -286,6 +290,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 
@@ -435,6 +440,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 
@@ -455,6 +461,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 
@@ -474,6 +481,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 
@@ -496,6 +504,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec!["db".into()],
+                ..Default::default()
             },
         );
         vault.schema.insert(
@@ -504,6 +513,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec!["api".into()],
+                ..Default::default()
             },
         );
 
@@ -526,6 +536,7 @@ mod tests {
                 description: "orphan key".into(),
                 example: None,
                 tags: vec!["db".into()],
+                ..Default::default()
             },
         );
         vault.schema.insert(
@@ -534,6 +545,7 @@ mod tests {
                 description: "has a value".into(),
                 example: None,
                 tags: vec!["db".into()],
+                ..Default::default()
             },
         );
 
@@ -558,6 +570,7 @@ mod tests {
                 description: String::new(),
                 example: None,
                 tags: vec![],
+                ..Default::default()
             },
         );
 

src/info.rs

@@ -241,6 +241,7 @@ mod tests {
                 description: "database url".into(),
                 example: Some("postgres://...".into()),
                 tags: vec!["db".into()],
+                ..Default::default()
             },
         );
         let bytes = test_vault_bytes(schema);
@@ -265,6 +266,7 @@ mod tests {
                 description: "db".into(),
                 example: None,
                 tags: vec!["db".into()],
+                ..Default::default()
             },
         );
         schema.insert(
@@ -273,6 +275,7 @@ mod tests {
                 description: "api".into(),
                 example: None,
                 tags: vec!["api".into()],
+                ..Default::default()
             },
         );
         let bytes = test_vault_bytes(schema);