devdrops
v1.0.1
Published
devdrops CLI — pull a project's encrypted secrets, commands and setup notes into any machine, CI job or AI agent, and sync whole project folders end-to-end encrypted.
Maintainers
Readme
devdrops CLI — "Dropbox for devs" sync
Sync your project folders across every machine and cloud agent — with end-to-end
encrypted file contents and .env included, without the Git dance.
How it works
- Manifest in Firestore — the file tree (path → content hash) syncs instantly, so a new machine sees the whole structure the moment it links, before any file is downloaded.
- Content-addressed blobs in Storage — file contents are stored under the SHA-256 of their plaintext, AES-256-GCM encrypted with the vault DEK (the same key that protects secrets). The server never sees plaintext, identical files are stored once, and a single API token can unlock both files and secrets. (Blobs synced before this change stay readable via a password fallback.)
- Dev-aware ignore + rehydrate —
node_modules,dist,.next,target,.venv… are never synced (they're OS-specific). Their lockfiles are, andpull --installrebuilds deps locally (npm ci,pip install,cargo build, …).
Usage
npm install # in cli/
node devdrops.mjs login # cache creds in ~/.devdrops/config.json (chmod 600)
# machine A
cd ~/code/my-project
node devdrops.mjs init "my-project" # register the folder
node devdrops.mjs push # encrypt + upload changed files
# machine B (or a cloud agent)
node devdrops.mjs list # see your synced projects
node devdrops.mjs clone <projectId> # tree materializes here
node devdrops.mjs pull --install # get updates + rebuild deps
node devdrops.mjs status # local vs remote diff
# either machine — automatic background sync (the "real Dropbox" feel)
node devdrops.mjs watch # auto-push on local change, auto-pull on remote change
# on-demand access — the whole tree, download only what you touch
node devdrops.mjs link <projectId> # link a folder, download nothing
node devdrops.mjs ls # show the entire tree (0 downloads)
node devdrops.mjs cat src/index.js # hydrate + print just that one file
node devdrops.mjs mount ./code # FUSE mount (Linux/macFUSE): files download on first readwatch is additive (it never auto-deletes) so a live two-way sync can't race a
teammate's just-added file into a deletion. Deletions propagate through an
explicit push, which prunes.
Auth for headless folder-sync use: set DEVDROPS_EMAIL + DEVDROPS_PASSWORD env vars.
Token access (CI / agents — no password)
For pipelines and cloud agents that just need a project's secrets / commands / setup, use an API token instead of your password. Create one in devdrops → Settings → API-Tokens, then:
export DEVDROPS_TOKEN=ddp_… # or: node devdrops.mjs token ddp_…
node devdrops.mjs projects # list projects
node devdrops.mjs secrets <id> # print decrypted KEY=value
node devdrops.mjs secrets <id> --env production
node devdrops.mjs env <id> -o .env # write a .env file
node devdrops.mjs commands <id> # saved commands
node devdrops.mjs setup <id> # setup notesStill zero-knowledge: the API returns ciphertext + the token-wrapped vault key; the CLI unwraps and decrypts locally. The token is stored as a hash only, is scoped to reads, and can be revoked anytime. This is the recommended auth for CI and AI agents — no account password on disk.
Roadmap
- M1 (done):
push/pull/clone— manual sync, encrypted, dev-aware ignore. - M2 (done):
devdrops watch— background daemon, auto push/pull on change (real-Dropbox feel), bidirectional via Firestore realtime. - M3 (done): on-demand access —
link+ls/catshow the whole tree and hydrate only touched files (works on any OS);mountexposes the same engine as a real FUSE filesystem on Linux/macFUSE (the key flow for cloud AI agents). Hydrated blobs are cached in~/.devdrops/cache/(content-addressed, shared across projects).
