@niravcanvas/observer
v0.0.6
Published
Observer — encrypted secret-sending CLI + TUI
Readme
Observer
Encrypted secret-sending for developers — a CLI + TUI. Send an env var, an API token, a code snippet, or a file to a teammate without leaving the terminal.
End-to-end encrypted with libsodium (NaCl). The relay only ever sees ciphertext — never your messages, files, keys, or passphrase.
Install
npm install -g @niravcanvas/observerRequires Node.js 22 or newer. The command is observer.
Quick start
observer login # create your identity, print your shareable code
observer info # show your name and code again
observer add kai <their-code> # add a contact — you pick the local name
observer send kai "deploy is green" # encrypt + relay a message
observer view kai # pull from the relay, decrypt, show the thread
observer # open the interactive TUIBoth people install the app, run observer login, and swap the codes that observer info prints. Add each other with observer add, and you can message. Your code encodes your public key; contacts are plain local names you choose.
Sending files
observer send kai --file ./.env.production # send any file (up to 10 MiB)
observer send kai --code ./server.ts # send a source file (syntax-highlighted)
observer send kai --clip # send whatever's on your clipboardReceived files are saved to ~/.config/observer/inbox/ (collision-safe — report.pdf, then report (1).pdf). The filename is encrypted and authenticated along with the contents, so the relay can neither read it nor change it.
Options
| Flag | Applies to | Meaning |
|------|------------|---------|
| --file <path> | send | Send a file |
| --code <path> | send | Send a source file (highlighted for the reader) |
| --clip | send | Send the system clipboard |
| --burn | send | Burn-after-read (one-time view) |
| --ttl <dur> | send | Expiry, e.g. 30s, 10m, 24h, 7d |
| --copy | info | Copy your code to the clipboard |
With no message and no flag, observer send <name> prompts for a secret without echoing it to the screen.
Security model
- X25519
crypto_box— authenticated direct messages; opening a message cryptographically proves who sent it. - Argon2id +
crypto_secretbox— opt-in encryption of your identity key at rest (setOBSERVER_PASSPHRASEbeforelogin); otherwise the key is stored locally as-is so commands never prompt. - Authenticated metadata — kind, burn policy, TTL, filename, and a per-conversation sequence number are bound into the ciphertext, so a relay cannot tamper with them or replay an old message.
- The relay is dumb — it store-and-forwards opaque ciphertext and never sees plaintext, keys, or passphrases.
Configuration
| Variable | Default | Purpose |
|----------|---------|---------|
| OBSERVER_RELAY | wss://observer.canvasco.in/relay | Relay URL to connect to |
| OBSERVER_INBOX | <config>/inbox | Where received files are written |
| OBSERVER_HOME | ~/.config/observer | Config + local message store |
| OBSERVER_PASSPHRASE | (unset) | Encrypt the identity key at rest (Argon2id) |
Point the app at your own relay by setting OBSERVER_RELAY (e.g. ws://127.0.0.1:8787/relay for local development).
License
MIT
