@elding/cli

Protect HTTP API keys while developing with AI coding tools. The Elding CLI runs your application behind a local proxy that injects each key into the outgoing HTTPS request. The real key never enters your application's memory or process.env.

npm install -g @elding/cli

Always install the scoped package @elding/cli. The unscoped elding package is unrelated.

Quickstart

elding login
elding init
elding proxy -- npm run dev

Use @elding/sdk in your code:

import OpenAI from "openai";
import { configure } from "@elding/sdk";

const openai = new OpenAI(
  await configure("OPENAI_API_KEY", "https://api.openai.com")
);

Elding is intentionally specialized in HTTP API keys. Keep DATABASE_URL, JWT_SECRET, REDIS_URL, certificates, and database passwords in your platform's environment variables.

Commands

| Command | Purpose | |---|---| | elding login / logout | Sign in or out; the token is stored in the OS keychain | | elding init | Link the current project to an API key set | | elding proxy -- <cmd> | Run a command behind the secure local injection proxy | | elding deploy | Generate the scoped deployment token and production variables | | elding keys / sets | List API key names or accessible sets | | elding use <name> | Switch the active set | | elding status / whoami | Show local state or the signed-in user | | elding doctor | Diagnose authentication, set, keys, and proxy configuration | | elding open | Open the Elding dashboard |

The local proxy is the only execution mode. API keys are never injected wholesale into process.env.

Security model

• The proxy binds to 127.0.0.1 only.
• API keys are inserted into request headers at the last moment.
• Host locking prevents a key from being sent to an unauthorized domain.
• Anti-SSRF checks block private and metadata-network targets.
• Key values, request bodies, responses, and query strings are never logged.

Documentation: https://docs.elding.app/en/cli/installation