npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@hermit-kms/cli

v0.5.2

Published

Hermit KMS CLI — Secure secret management from your terminal

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ranakoranako

Keywords

kmssecretsvaultclisecuritydevops

Readme

Hermit CLI

Hermit CLI is the terminal-native interface for Hermit KMS. It covers authentication, explicit organization and vault context, team administration, key lifecycle operations, secret hierarchy management, and environment injection for local development and CI workflows.

Requirements

  • Node.js 18+
  • A reachable Hermit API base URL, typically http://localhost:5001/api/v1 in local development

Install

Monorepo usage

npm install
npm run -w apps/cli build
node apps/cli/dist/index.js --help

Local linking

cd apps/cli
npm link
hermit --help

Package installation

npm install -g @hermit/cli
hermit --help

First-time setup

Set the API server:

hermit config set-server http://localhost:5001/api/v1

Authenticate and choose context:

hermit auth login
hermit org select <org>
hermit vault select <vault>

If your account can access multiple organizations or vaults, the CLI now requires an explicit selection instead of silently picking the first match.

Core command families

hermit auth login
hermit org list
hermit team list
hermit vault list
hermit key list
hermit group tree
hermit secret list
hermit run -- npm run dev
hermit whoami

Output modes

  • Interactive TTY mode uses Hermit-styled status output, cards, and boxes.
  • --json emits machine-readable output for automation.
  • --non-interactive disables prompts and requires explicit flags for destructive flows.
  • --no-color disables ANSI colors for plain logs and CI output.

Secret hierarchy

Hermit supports both group terminology and path-first UX:

hermit group create --name prod
hermit group create --path prod --name api
hermit secret list --path prod/api
hermit run --inject prod/api -- npm run dev
hermit run --inject prod/api/DATABASE_URL -- node server.js

Project config

Use hermit config init to generate .hermit.yml.

Example:

version: 1
server: http://localhost:5001/api/v1

environments:
  development:
    organization: acme
    vault: my-project
    path: dev/api
    recursive: true
    secrets:
      - DATABASE_URL
      - REDIS_URL
    map:
      DATABASE_URL: APP_DATABASE_URL

  production:
    organization: acme
    vault: my-project
    group: prod-config
    recursive: true

Resolution precedence:

  1. CLI flags
  2. .hermit.yml environment block
  3. active stored CLI context

Notes:

  • Top-level server is applied when commands load .hermit.yml.
  • organization lets hermit run --env <name> resolve the target vault deterministically.
  • group and path are mutually exclusive.
  • folder targets are recursive by default.
  • mapped environment names must be unique or the run fails with a collision error.

Protected secret access

Protected reveal flows support both layers of the current backend model:

hermit secret get DATABASE_URL --password <secret-password>
hermit secret get DATABASE_URL --vault-password <vault-password>
hermit run --env production --vault-password <vault-password> -- node server.js
hermit run --inject prod/api --vault-password <vault-password> -- node server.js

If a password is omitted in interactive mode, the CLI prompts for the required secret or vault password and retries with the correct field.

CI usage

Use JSON and non-interactive mode together:

hermit --non-interactive --json auth status
hermit --non-interactive run --env production -- node server.js

Behavior in CI:

  • no prompts
  • no animated output
  • destructive commands require --yes
  • missing org or vault context fails fast instead of auto-selecting
  • protected secrets are skipped during injected runs unless the workflow provides the required password flags