CLI
Manage projects, schema, and secret values from the command line. Every command exits with a meaningful status code for scripting.
Run vaultlier --help for a summary, or vaultlier <command> --help for details on any command.
init
Sets up the current directory. Installs the dependency if needed, offers a browser login when you have no account credentials, lets you pick or create a project, and writes vaultlier.json and lib/vaultlier.ts.
vaultlier init
# Non-interactive (CI):
vaultlier init --project-id=prj_29ec67d64dd1 --api-key=vlt_live_...The API key is optional at init time — press Enter to skip it. Re-run with --force to overwrite existing metadata.
login / logout
login authenticates the machine via the OAuth device-code flow: it shows a verification URL and a short code, you approve it in the browser, and the CLI receives an account token. The token is stored per-user in ~/.vaultlier/auth.json with owner-only permissions.
vaultlier login # approve in the browser
vaultlier logout # remove the stored account tokenAccount token ≠ project key
The account token only authorizes listing and creating projects. It can never read secrets — that always requires a project API key. Review and revoke device sessions from the portal under Account & devices.config
Manage the local project binding and credentials.
| Command | Effect |
|---|---|
config set project=<id> | Update vaultlier.json and regenerate the typed client. |
config set apiKey=<vlt_…> | Update the local credential cache only; the key is never printed back. |
config get | Show the current project, masked API key, and account login state. |
config verify | Re-validate the project id + API key against the portal. |
vaultlier config set project=prj_29ec67d64dd1
vaultlier config set apiKey=vlt_live_...
vaultlier config get
vaultlier config verifyscan
Detects environment-variable keys referenced in your code and .env files and offers to add them to your schema metadata. Values are ignored — only key names are read.
vaultlier scan # report detected keys
vaultlier scan --yes # add them to vaultlier.json without promptingpush / pull / diff
These sync schema metadata — key names, types, scopes, and environments — with the portal. Secret values are never sent or received by these commands.
push— send local schema additions to the portal (additive; nothing is deleted server-side).pull— fetch the portal schema and regenerate the typed client. Without an API key it falls back to regenerating from local metadata.diff— show what differs between local and portal.
vaultlier push --env=prod
vaultlier pull --env=prod
vaultlier diff --env=prodset
Writes one or more KEY=VALUE pairs to a single environment. Keys must already exist in the schema and be scoped to the target environment — both are checked locally before any value leaves your machine. Values are sealed server-side as new immutable versions. Requires an API key with the member role or higher.
vaultlier set DATABASE_URL=postgres://prod-db/main --env=prod
vaultlier set STRIPE_SECRET=sk_live_... FEATURE_NEW_FLOW=true -e prodIf the target environment does not exist yet, set offers to create it (pass --yes to skip the prompt in CI). It declares the environment through an additive schema push, then writes the values.
vaultlier set DATABASE_URL=postgres://wip-db --env=working --yesdev
Starts a read-only dashboard bound to loopback (http://127.0.0.1:9090) showing your project metadata. When an API key is available it also displays values for the dev environment only; staging and prod values are never read or displayed, and nothing is written to disk.
vaultlier dev
vaultlier dev --port=4000whoami
Prints the resolved project context: project id, environments, and the masked API key.
vaultlier whoamiFlag conventions
Every value flag has a canonical --kebab-case long form; common ones also have a single-letter short form. Both --flag=value and --flag value work.
| Short | Long | Aliases | Used by |
|---|---|---|---|
| -e | --env | --environment | pull, push, diff, set |
| -k | --api-key | --apiKey | all portal commands |
--api-url | --apiUrl | all portal commands | |
--project-id | --projectId | init | |
| -p | --port | dev | |
| -o | --output | --generate, --generate-env | |
| -y | --yes | prompts | |
| -f | --force | init, generated .env | |
| -h | --help | everywhere |
Output & scripting
Commands print status-prefixed lines and show a spinner while talking to the portal. Styling degrades gracefully:
- Colors and spinners activate only on an interactive terminal.
- They are suppressed when output is piped or
CIis set, so logs stay plain. NO_COLORdisables colors;FORCE_COLORforces them.- Spinners render on stderr, keeping stdout clean for scripting.