npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@hobble-env/cli

v3.3.10

Published

CLI for managing secrets via hobble

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jaysusjaysus

Keywords

Readme

Hobble CLI

A command-line tool for managing secrets stored in your secret management dashboard. Hobble lets you create, read, update, and delete secrets, and inject them into your development workflow as environment variables.

Installation

Install globally from npm:

npm install -g @hobble-env/cli

This provides the hobble command.

From source

From the project root:

cd cli && npm install

Run commands with:

npx tsx cli/bin/hobble.ts <command>

Or use the shortcut from the root:

npm run hobble -- <command>

Getting Started

One command does it all:

hobble init --url https://secrets.your-company.dev

If you aren't signed in to that instance yet (or your session expired), init starts the browser login first, then walks you through selecting a project and environment, saves the choice to a .hobble file in your current directory, and pins the instance URL in it. Drop that line in a project README and a new teammate is set up in one step.

Without --url, init targets your default instance (http://localhost:3000 until you've logged in somewhere). You can switch project/environment later with:

hobble switch my-project/staging

Logging in separately

hobble login                   # browser device flow; prompts for the URL
hobble login --url https://secrets.your-company.dev
hobble login --api-key         # paste a long-lived API key instead

API keys are generated from the dashboard under Settings > API Keys. Credentials are stored per instance, so logging in to a second instance doesn't sign you out of the first.

Commands

Secrets

hobble list                    # List all secrets (names only, no values)
hobble list --json             # List as JSON

hobble get DB_HOST             # Print a secret's decrypted value
hobble get DB_HOST --json      # Output as JSON

hobble set DB_HOST localhost   # Create or update a secret
echo "s3cr3t" | hobble set DB_PASS -   # Set from stdin (avoids shell history)

hobble delete DB_HOST          # Delete a secret (with confirmation)
hobble delete DB_HOST -y       # Skip confirmation

Credentials (org-scoped)

Credentials are org-scoped shared logins and API secrets, distinct from the per-environment secrets above. Note the noun: hobble get DB_HOST reads an environment secret, while hobble secret get stripe (alias of hobble credential get stripe) reads an org credential.

hobble credential list               # List credentials (no values)
hobble secret list --json            # Same, via the alias, as JSON (includes tags)

hobble secret get stripe             # Print a credential's decrypted value
hobble secret get stripe --field username   # Print the username instead
hobble secret get stripe --json      # Full object (name, username, url, value, tags)

hobble secret set stripe sk_live_123 --username [email protected] --url https://stripe.com
echo "sk_live_123" | hobble secret set stripe -    # Value from stdin
hobble secret set stripe sk_test_9 --tag billing --tag prod   # Attach org tags

hobble secret delete stripe

Credential names are case-insensitive and unique per organization — no --project/--env needed, but the CLI must know which org you mean:

  • If your login/API key reaches exactly one org, it is used automatically.

  • If it reaches several orgs, commands fail with an "ambiguous across organizations" error listing the candidates — pass --org <slug|id> (either the org slug or its id works):

    hobble secret get stripe --org acme-prod

  • A project/env-only scoped API token has no org-scoped credential access and gets a clear error — create an org-scoped token instead.

CI usage: when stdout is not a TTY the value is printed raw (no decoration, no trailing newline), so command substitution is clean:

export STRIPE_KEY=$(hobble secret get stripe --field value)

Running Commands with Secrets

Fetch secrets from the dashboard and inject them as environment variables into a subprocess:

hobble run npm run dev
hobble run -- node server.js --port 8080

Secrets are injected in-memory only -- nothing is written to disk.

Starting a Subshell with Secrets

Start an interactive subshell with the current project/environment's secrets injected as environment variables. Exit the subshell (type exit or Ctrl+D) to return to your original shell with its original environment intact.

# In a directory with a .hobble file
hobble shell

# Or specify project/env explicitly
hobble shell --project my-app --env production

Inside the subshell, three extra env vars are set so scripts can detect the context:

  • HOBBLE_PROJECT — project name
  • HOBBLE_ENVIRONMENT — environment name
  • HOBBLE_SHELL<project>/<environment>

For bash and zsh, your prompt is prefixed with (hobble:<project>/<environment>) as a visual reminder. Other shells keep their default prompt; use $HOBBLE_SHELL to build your own prompt indicator if desired.

Managing .env Files

hobble env pull                # Write secrets to .env
hobble env pull --force        # Overwrite existing .env
hobble env pull -o .env.local  # Write to a custom path

hobble env push                # Push .env contents to the dashboard
hobble env push -y             # Skip confirmation
hobble env push -i .env.local  # Push from a custom path

Account

hobble whoami                  # Show current user, org, and instance info
hobble logout                  # Remove credentials for the current instance
hobble logout --all            # Remove credentials for every instance

Configuration

Global Config

Stored at ~/.config/hobble/config.json after hobble login or hobble init. Holds your default instance URL and one credential per instance:

{
  "apiUrl": "https://secrets.your-company.dev",
  "credentials": {
    "https://secrets.your-company.dev": { "type": "session", "token": "…", "expiresAt": "…" },
    "http://localhost:3000": { "type": "apiKey", "token": "…" }
  }
}

Override with environment variables:

  • HOBBLE_API_KEY -- override the stored credential
  • HOBBLE_API_URL -- override the instance URL

Project Config

The .hobble file in your project directory stores the default project and environment, and optionally pins an instance URL (written by hobble init --url):

{ "project": "my-app", "environment": "staging", "apiUrl": "https://secrets.your-company.dev" }

A pinned apiUrl takes precedence over the global default (but not over HOBBLE_API_URL), so different checkouts can talk to different instances. Credentials never live in .hobble. Add it to .gitignore -- hobble init will offer to do this for you.

Override per-command with flags:

hobble list --project my-app --env production