Metadata-Version: 2.4
Name: hidehub-cli
Version: 0.2.0
Summary: Secure .env vault with zero-knowledge encryption
Home-page: https://hidehub.com
Author: HideHub
Author-email: support@hidehub.com
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: typer>=0.9.0
Requires-Dist: requests>=2.31.0
Requires-Dist: cryptography>=41.0.0
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary

# HideHub CLI

**Secure .env vault with zero-knowledge encryption.** Never commit an API key again.

Manage your secrets from the command line — encrypt, upload, and inject them into any command. Your master password never leaves your device.

🌐 **[Sign up at hidehub.com](https://hidehub.com)**

---

## Features

- **Zero-knowledge encryption** — AES-256-GCM + PBKDF2 (600k iterations) + HKDF
- **One-command push** — encrypt and upload `.env` files instantly
- **Selective injection** — interactive picker to load only the secrets you need
- **Secret rotation** — version history built in
- **Multiple auth methods** — email/password, GitHub device flow, or API key

## Installation

```bash
pip install hidehub-cli
```

## Quick Start

### 1. Authenticate

```bash
# Interactive login (email + password)
hidehub init

# Login with GitHub device flow
hidehub init --github

# Login with an API key (for CI/CD)
hidehub init --api-key your-key-here
```

### 2. Push Secrets

```bash
# Encrypt and upload your .env file
hidehub push --env-file .env.production --project my-api

# Force overwrite existing secrets
hidehub push --env-file .env --project my-api --force
```

### 3. Use Secrets

```bash
# Interactive picker — select which secrets to load
hidehub use --project my-api

# Export to current shell
eval "$(hidehub use --project my-api --export)"

# Run a command with secrets injected
hidehub run --project my-api -- npm start
```

### 4. Manage

```bash
# View all projects
hidehub list

# View secrets in a project (key names only — values stay encrypted)
hidehub list --project my-api

# Rotate a secret (keeps version history)
hidehub rotate OPENAI_API_KEY --project my-api
```

## How It Works

```
Your .env → Client-side AES-256-GCM encryption → Encrypted blob → HideHub server
                                                  ↑
                                    Master password (never sent)
```

1. You set a master password (stored only in memory, never transmitted)
2. Keys are derived with PBKDF2-SHA256 (600k iterations) + HKDF expansion
3. Each secret is individually encrypted with AES-256-GCM + HMAC-SHA256 integrity check
4. Encrypted blobs are uploaded — the server never sees plaintext
5. On retrieval, your master password decrypts everything locally

## CI/CD

```bash
# Set environment variables in your CI pipeline
export HIDEHUB_API_KEY=***
export HIDEHUB_MASTER_PASSWORD=your-master-password

# Push secrets during deployment
hidehub push --env-file .env --project production --force

# Run tests with secrets
hidehub run --project production -- pytest
```

## Commands

| Command | Description |
|---------|-------------|
| `hidehub init` | Authenticate with your HideHub account |
| `hidehub push` | Encrypt and push secrets to a project |
| `hidehub use` | Load secrets into your environment |
| `hidehub run` | Run a command with secrets injected |
| `hidehub list` | List projects or secrets |
| `hidehub rotate` | Rotate a secret's value |

---

🔒 **[hidehub.com](https://hidehub.com)** — Free for 5 secrets. $5/mo for unlimited.
