feat(cli): exec enterprise + deploy + keychain (alpha.7)

Three operator-facing features that close the gap between sealed-env
the library and a production-grade deploy workflow.

1. `sealed-env exec` learns enterprise mode

   When the sealed file is enterprise, exec mints the unseal token in
   memory (prompting for TOTP if not given via --totp), uses it to
   decrypt, and injects only the resulting plaintext env vars into the
   child process. Master/signing/TOTP/token are STRIPPED from the
   child's environment — the application sees DATABASE_URL etc., never
   SEALED_ENV_KEY.

2. `sealed-env deploy [-- <command>]` wrapper

   Production deploy wrapper around exec. Auto-detects deploy_id from
   `git rev-parse HEAD`, refuses to run with a dirty tree, optionally
   polls a health URL after the command. Replaces the typical
   hand-rolled 130-line deploy.sh with one command.

3. `sealed-env keychain push/pull/status/clear`

   OS-native encrypted storage for SEALED_ENV_* secrets, replacing
   plaintext .env.local. Cross-platform via shell-out (no native deps):

     Windows: DPAPI under %LOCALAPPDATA%\sealed-env\*.bin
     macOS:   security CLI (system Keychain)
     Linux:   secret-tool (libsecret)

   Auto-loader prefers keychain over .env.local. Status prints SHA-256
   fingerprints per entry (no values), safe for logs.

Plus:

  - `sealed-env unseal --token-only` for clean shell-script usage:
    TOKEN=$(sealed-env unseal --token-only ...)
  - Auto-load source string in stderr hint (keychain vs file).
  - Fixed init.ts inline-comment-in-.env.local bug that confused the
    auto-load parser.
  - Refactored token-mint flow into utils/token.ts shared by exec,
    deploy, and unseal.

Architecture: host-side decrypt. The operator's machine does the full
unseal; only plaintext env vars reach the container. Master keys never
touch the deploy host (when used with DOCKER_HOST=ssh://...).

Bumps to 0.1.0-alpha.7. No wire-format changes.

Author: davidalmeidac

CHANGELOG.md

@@ -14,6 +14,87 @@ files written today will remain readable forever. See [SPEC.md](./SPEC.md).
 
 ---
 
+## [0.1.0-alpha.7] — 2026-05-07
+
+Operator ergonomics + hardened key storage. **No wire-format changes** —
+files sealed by previous `0.1.0-alpha.x` releases (≥ alpha.4) decrypt
+cleanly on `0.1.0-alpha.7`.
+
+### Added
+
+- **`sealed-env exec` now handles enterprise mode end-to-end.** When the
+  file is enterprise, exec mints the unseal token IN MEMORY (prompting
+  for the TOTP code if `--totp` not given), uses it to decrypt, and
+  injects the resulting `KEY=value` pairs into the child process. The
+  raw token never appears in stdout/stderr/disk. Master/signing/TOTP
+  credentials are also stripped from the child's environment, so the
+  application sees only `DATABASE_URL` etc., never `SEALED_ENV_KEY`.
+
+  ```sh
+  # Single-line replacement for a 130-line deploy.sh:
+  sealed-env exec --file .env.sealed --deploy-id $(git rev-parse HEAD) \
+    -- docker compose up -d --build status
+  ```
+
+- **`sealed-env deploy [-- <command>]`** — production deploy wrapper
+  around `exec` that auto-detects `deploy_id` from `git rev-parse HEAD`,
+  refuses to run with a dirty working tree (uncommitted changes would
+  silently NOT be in the build), and optionally polls a health URL after
+  the command finishes. Replaces the standard hand-rolled deploy.sh
+  pattern with a single command.
+
+  ```sh
+  sealed-env deploy \
+    --health-url http://127.0.0.1:8090/actuator/health \
+    -- docker compose up -d --build status
+  ```
+
+- **`sealed-env keychain push|pull|status|clear`** — store
+  `SEALED_ENV_*` secrets in the OS-native encrypted keychain instead of
+  `.env.local` plaintext. Cross-platform via shell-out (no native deps):
+    - Windows: DPAPI (`%LOCALAPPDATA%\sealed-env\*.bin`, encrypted with
+      the user login key, inaccessible to other users on the machine).
+    - macOS: `security` CLI (system Keychain).
+    - Linux: `secret-tool` (libsecret / GNOME Keyring / KWallet).
+
+  After `keychain push`, the auto-loader prefers the keychain over
+  `.env.local`. The `status` subcommand prints a SHA-256 fingerprint
+  per entry (no values), safe for logs and support threads.
+
+- **`sealed-env unseal --token-only`** — emit just the token, no
+  surrounding human-readable text. Designed for shell scripts:
+  `TOKEN=$(sealed-env unseal --token-only --file ... --totp ...)`.
+  No more parsing through `grep -oE 'usl_...'`.
+
+### Changed
+
+- **Auto-load priority** is now: `process.env` → OS keychain →
+  `.env.local`. CI/explicit env vars still win. The startup hint
+  on stderr now reads `(loaded N SEALED_ENV_* vars from OS keychain)`
+  or `(... from .env.local)` so users know where their keys came from.
+
+- **`init` no longer writes inline comments** in `.env.local`. The
+  TOTP-secret-is-base32 hint moved to its own comment line above. The
+  old inline form (`SECRET=value  # base32`) confused the auto-load
+  parser, treating the comment as part of the value.
+
+### Architecture note: host-side decrypt
+
+This release enables a meaningful security upgrade for production
+deploys. With `sealed-env exec` / `sealed-env deploy`, the operator's
+machine does the full unseal (master key + signing key + TOTP secret +
+mint token) and only injects the resulting plaintext env vars into the
+container. The container — and the deploy host, if you deploy from
+laptop via `DOCKER_HOST=ssh://...` — never sees the master key,
+signing key, TOTP secret, or unseal token.
+
+In contrast, the Spring Boot starter approach (which still works, no
+breaking change) requires those credentials on the deploy host. For
+single-instance deploys that's fine; for multi-container fleets the
+starter is still the right call. Both are documented.
+
+---
+
 ## [0.1.0-alpha.6] — 2026-05-07
 
 UX release. **No wire-format changes** — files sealed by previous

docs/07-operational-guide.md

@@ -195,7 +195,7 @@ Add the starter to `pom.xml`:
 <dependency>
   <groupId>io.github.davidalmeidac</groupId>
   <artifactId>sealed-env-spring-boot-starter</artifactId>
-  <version>0.1.0-alpha.6</version>
+  <version>0.1.0-alpha.7</version>
 </dependency>
 ```
 

java/pom.xml

@@ -7,7 +7,7 @@
 
   <groupId>io.github.davidalmeidac</groupId>
   <artifactId>sealed-env-parent</artifactId>
-  <version>0.1.0-alpha.6</version>
+  <version>0.1.0-alpha.7</version>
   <packaging>pom</packaging>
 
   <name>sealed-env (parent)</name>

java/sealed-env-core/pom.xml

@@ -8,7 +8,7 @@
   <parent>
     <groupId>io.github.davidalmeidac</groupId>
     <artifactId>sealed-env-parent</artifactId>
-    <version>0.1.0-alpha.6</version>
+    <version>0.1.0-alpha.7</version>
   </parent>
 
   <artifactId>sealed-env-core</artifactId>

java/sealed-env-spring-boot-starter/pom.xml

@@ -8,7 +8,7 @@
   <parent>
     <groupId>io.github.davidalmeidac</groupId>
     <artifactId>sealed-env-parent</artifactId>
-    <version>0.1.0-alpha.6</version>
+    <version>0.1.0-alpha.7</version>
   </parent>
 
   <artifactId>sealed-env-spring-boot-starter</artifactId>

node/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sealed-env",
-  "version": "0.1.0-alpha.6",
+  "version": "0.1.0-alpha.7",
   "description": "Encrypted .env files with optional TOTP unsealing for production deploys. Cross-stack with the Java port. One minimal CLI dependency.",
   "keywords": [
     "dotenv",

node/src/cli/commands/deploy.ts

@@ -0,0 +1,193 @@
+/**
+ * `sealed-env deploy [--health-url <url>] -- <command> [args...]`
+ *
+ * Production deploy wrapper around `exec`. Adds the safety rails that
+ * a hand-rolled deploy.sh would otherwise have to implement:
+ *
+ *   - Auto-detects `deploy_id` from `git rev-parse HEAD`.
+ *   - Refuses to deploy with a dirty working tree (uncommitted changes
+ *     would silently NOT be in the build, since the deploy_id binds to
+ *     the committed sha).
+ *   - Prompts the operator for the TOTP code (hidden from logs).
+ *   - Mints the unseal token IN MEMORY and injects only the resulting
+ *     plaintext env vars into the child. The master/signing/TOTP
+ *     credentials never reach the child process or stdout.
+ *   - Optionally polls a health endpoint after the command exits.
+ *
+ *   $ sealed-env deploy -- docker compose up -d --build status
+ *   $ sealed-env deploy --health-url http://127.0.0.1:8090/actuator/health -- ./up.sh
+ *
+ * For the file path, defaults to `.env.sealed`. Override with --file.
+ *
+ * Compared to a hand-written deploy.sh: ~5 lines instead of ~130, and
+ * the token never appears in stdout (no fragile grep).
+ */
+
+import { execSync } from 'node:child_process';
+
+import { SealedEnvError } from '../../core/errors.js';
+import { execCommand } from './exec.js';
+import { parseFlags } from '../utils/flags.js';
+
+export async function deployCommand(argv: string[]): Promise<void> {
+  const sepIndex = argv.indexOf('--');
+  if (sepIndex === -1) {
+    throw new SealedEnvError(
+      'CONFIG_ERROR',
+      'usage: sealed-env deploy [--file <path>] [--health-url <url>] [--health-timeout <s>] [--allow-dirty] -- <command> [args...]\n' +
+        '\nThe `--` separator marks where sealed-env flags end.',
+    );
+  }
+
+  const sealedArgs = argv.slice(0, sepIndex);
+  const childArgs = argv.slice(sepIndex + 1);
+
+  if (childArgs.length === 0) {
+    throw new SealedEnvError('CONFIG_ERROR', 'no command given after `--`');
+  }
+
+  const { values } = parseFlags(sealedArgs, {
+    file: { type: 'string', default: '.env.sealed' },
+    'health-url': { type: 'string', default: '' },
+    'health-timeout': { type: 'string', default: '30' },
+    'allow-dirty': { type: 'boolean', default: false },
+    totp: { type: 'string', default: '' },
+    'deploy-id': { type: 'string', default: '' },
+  });
+
+  // ── Pre-flight ────────────────────────────────────────────────
+  let deployId = (values['deploy-id'] as string).trim();
+  if (!deployId) {
+    deployId = tryGitHead();
+  }
+
+  const allowDirty = values['allow-dirty'] as boolean;
+  if (!allowDirty && isInGitRepo() && isWorkingTreeDirty()) {
+    throw new SealedEnvError(
+      'CONFIG_ERROR',
+      'working tree is dirty — refusing to deploy.\n' +
+        'Commit or stash your changes first, or pass --allow-dirty (NOT recommended for prod).\n' +
+        'The deploy_id binds to the committed sha; uncommitted changes would silently not be in the build.',
+    );
+  }
+
+  // ── Banner ────────────────────────────────────────────────────
+  const banner = buildBanner(deployId);
+  process.stderr.write(banner);
+
+  // ── Delegate to exec ──────────────────────────────────────────
+  // exec handles: enterprise mode detection, TOTP prompt, token mint
+  // in memory, plaintext injection, signal forwarding, exit code
+  // propagation. We just feed it the right arguments.
+  const execArgs: string[] = [
+    '--file',
+    values.file as string,
+  ];
+  if (deployId) execArgs.push('--deploy-id', deployId);
+  if (values.totp) execArgs.push('--totp', values.totp as string);
+  execArgs.push('--', ...childArgs);
+
+  await execCommand(execArgs);
+
+  // If the child exited non-zero, exec already set process.exitCode.
+  // No point health-checking a failed deploy.
+  if (process.exitCode && process.exitCode !== 0) {
+    return;
+  }
+
+  // ── Optional health check ────────────────────────────────────
+  const healthUrl = (values['health-url'] as string).trim();
+  if (healthUrl) {
+    const timeoutS = Math.max(Number(values['health-timeout']) || 30, 1);
+    process.stderr.write(`\n▸ Waiting for ${healthUrl} (up to ${timeoutS}s)...\n`);
+    const ok = await pollHealth(healthUrl, timeoutS * 1000);
+    if (!ok) {
+      process.stderr.write(`✗ health check failed after ${timeoutS}s\n`);
+      process.exitCode = 1;
+      return;
+    }
+    process.stderr.write(`✓ ${healthUrl} returned 200\n`);
+  }
+
+  process.stderr.write(
+    `\n✓ Deploy successful${deployId ? ` (${deployId.substring(0, 7)})` : ''}\n`,
+  );
+}
+
+function tryGitHead(): string {
+  try {
+    return execSync('git rev-parse HEAD', { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] })
+      .trim();
+  } catch {
+    return '';
+  }
+}
+
+function isInGitRepo(): boolean {
+  try {
+    execSync('git rev-parse --is-inside-work-tree', {
+      stdio: ['ignore', 'ignore', 'ignore'],
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isWorkingTreeDirty(): boolean {
+  try {
+    execSync('git diff-index --quiet HEAD --', {
+      stdio: ['ignore', 'ignore', 'ignore'],
+    });
+    return false;
+  } catch {
+    return true;
+  }
+}
+
+function buildBanner(deployId: string): string {
+  const short = deployId ? deployId.substring(0, 7) : '(no git)';
+  let branch = '';
+  let subject = '';
+  try {
+    branch = execSync('git rev-parse --abbrev-ref HEAD', {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+    }).trim();
+    subject = execSync('git log -1 --pretty=%s', {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+    })
+      .trim()
+      .substring(0, 60);
+  } catch {
+    /* not a git repo, skip */
+  }
+  return [
+    '',
+    '  ┌─ sealed-env deploy ──────────────────────────────────────┐',
+    `  │  branch:  ${branch || '(unknown)'}`,
+    `  │  commit:  ${short}`,
+    ...(subject ? [`  │  message: ${subject}`] : []),
+    '  └──────────────────────────────────────────────────────────┘',
+    '',
+  ].join('\n');
+}
+
+/**
+ * Poll an HTTP endpoint until it returns 2xx or the timeout elapses.
+ * Uses Node's built-in fetch (Node 18+). 1s between attempts.
+ */
+async function pollHealth(url: string, timeoutMs: number): Promise<boolean> {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(2000) });
+      if (res.ok) return true;
+    } catch {
+      /* swallow, keep retrying */
+    }
+    await new Promise((r) => setTimeout(r, 1000));
+  }
+  return false;
+}