@iicky/murk-secrets
v0.9.1
Published
Node.js/TypeScript bindings for murk — encrypted secrets manager
Downloads
592
Maintainers
Readme
@iicky/murk-secrets
Node.js/TypeScript bindings for murk — an encrypted secrets manager for developers.
Prerequisites
You need the murk CLI to create and manage vaults. This package only reads them.
# Install the CLI first
brew tap iicky/murk && brew install murk
# Initialize a vault and add secrets
murk init
murk add DATABASE_URL
murk add API_KEYThen add the Node package to your project:
npm install @iicky/murk-secretsQuick start
# Load your key (created by murk init)
source .envimport { load, get, exportAll } from '@iicky/murk-secrets'
// Load the vault (reads MURK_KEY from environment)
const vault = load()
// Get a single secret
const dbUrl = vault.get('DATABASE_URL')
// Get all secrets as an object
const secrets = vault.export()
// One-liners
get('DATABASE_URL')
exportAll()API
load(vaultPath?: string): Vault
Load and decrypt a murk vault. Reads MURK_KEY or MURK_KEY_FILE from the environment.
get(key: string, vaultPath?: string): string | null
One-liner: load the vault and get a single value.
exportAll(vaultPath?: string): Record<string, string>
One-liner: load the vault and export all secrets as an object.
hasKey(): boolean
Check if a MURK_KEY is available in the environment.
Vault
| Method | Returns | Description |
|--------|---------|-------------|
| vault.get(key) | string \| null | Get a single decrypted value |
| vault.export() | Record<string, string> | All secrets as an object |
| vault.keys() | string[] | List of key names |
| vault.has(key) | boolean | Check if a key exists |
| vault.length | number | Number of secrets |
Scoped (per-user) overrides are applied automatically — if you have a scoped value for a key, it takes priority over the shared value.
Agent policy
When the loaded key is an agent grant (minted with murk agent grant), the vault's agent policy is enforced on read, the same way the CLI enforces it at murk agent exec: get() and export() throw if the policy forbids a key. Operator keys are unaffected. This makes a policy vault strict from every entry point — though an agent already cannot decrypt out-of-scope secrets at all, since its ephemeral key is not a recipient of them.
Requirements
- Node.js >= 16
- murk CLI installed (to create and manage vaults)
- A
.murkvault file in your project (created withmurk init) MURK_KEYorMURK_KEY_FILEin the environment (created bymurk init, loaded viasource .env)
License
MIT OR Apache-2.0
