npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

extreme-vault

v0.1.1

Published

Zero-knowledge secrets CLI for Extreme Vault. Inject secrets into subprocesses (like 1Password's `op run`) or fetch them ad-hoc. Secrets are decrypted client-side with your service token.

Downloads

116

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kindflowkindflow

Keywords

secretssecret-managementclizero-knowledgeenvenvironment-variablesdotenvvaultextreme-vault

Readme

extreme-vault

The official CLI for Extreme Vault — a zero-knowledge secrets manager. Inject secrets into subprocesses at runtime, or fetch them ad-hoc from your terminal. Secrets are decrypted on your machine; the server never sees plaintext.

The CLI is the op run equivalent for Extreme Vault.

Install

npm i -g extreme-vault

Requires Node.js ≥ 20. Installs two equivalent bins: extreme-vault and the shorter extreme.

Authenticate

Create a service token from the dashboard:

  1. Sign in at https://extreme-vault.com.
  2. Open a vault → Service TokensCreate Token.
  3. Pick an environment, role (reader or writer), and expiry (max 30 days).
  4. Copy the token — it is shown exactly once.

Export it in the shell where you will run the CLI:

export EXTREME_TOKEN=xv_st_...

The token is a three-part string: xv_st_<id>.<authSecret>.<unwrapSecret>. Only the first two parts ever travel to the server; the unwrap secret stays on your machine so a passive server compromise cannot decrypt your vault. Treat the full token like a password — anyone with it has full access to the vault and environment it was scoped to until it expires or is revoked.

Usage

Inject secrets into a subprocess (the op run equivalent)

The most common workflow. Write a .env.extreme file whose values are either plain strings or extreme:// URIs pointing at secrets:

# .env.extreme
DATABASE_URL=extreme://production/default/DATABASE_URL
STRIPE_KEY=extreme://production/default/STRIPE_KEY
APP_NAME=my-app             # non-URI values pass through unchanged
# comments and blank lines are ignored

Run any command with those values resolved into its environment:

extreme-vault run --env-file .env.extreme -- node server.js
extreme-vault run --env-file .env.extreme -- docker compose up
extreme-vault run --env-file .env.extreme -- pnpm test

Secrets exist only in the subprocess's environment — never on disk, never in your shell's history. --env-file defaults to .env.extreme if omitted.

Read a single secret

extreme-vault secret get <vault> <env> <name>
# e.g.
extreme-vault secret get production default DATABASE_URL

Use -q / --quiet to print only the value with no trailing newline (useful for command substitution).

Write a secret

extreme-vault secret set <vault> <env> <name> <value>
# or from stdin:
cat secret.key | extreme-vault secret set <vault> <env> SSH_KEY
# or from a file:
extreme-vault secret set <vault> <env> TLS_CERT --from-file ./cert.pem

Requires a writer role service token.

List secrets in an environment

extreme-vault secret list <vault> <env>
extreme-vault secret list <vault> <env> --format json

Delete a secret

extreme-vault secret delete <vault> <env> <name> --confirm

Resolve an extreme:// URI ad-hoc

extreme-vault resolve extreme://production/default/DATABASE_URL

Handy in shell scripts:

DB_URL=$(extreme-vault resolve -q extreme://production/default/DATABASE_URL)

Check the current service token's scope

extreme-vault whoami
# Service token — vault: production, env: default, role: reader, expires: 2026-05-14

URI format

extreme://<vault>/<environment>/<secret>

Only the run and resolve commands understand URIs. The secret * commands take positional arguments instead.

Security model

  • Zero-knowledge: secrets are encrypted on the client. The server stores only ciphertext.
  • Split service token: the token's unwrap half never leaves your machine, so the server cannot derive your vault key from observed traffic.
  • Vault-scoped: each token can read/write secrets for one vault and one environment only.
  • Expiring: tokens have a mandatory expiry of at most 30 days.
  • Revocable: revoke any active token from the dashboard. Revocation is immediate.
  • No persistent state on your machine: the CLI writes nothing to disk. EXTREME_TOKEN lives only as long as your shell session.
  • Safe errors: the CLI never prints stack traces, cryptographic internals, or token substrings — just a short, user-facing message.

Troubleshooting

| Message | Likely cause | |---|---| | Invalid service token | EXTREME_TOKEN is malformed or was copied incorrectly. | | Token cannot decrypt this vault | The token's unwrap half doesn't match the wrapped vault key (token was tampered with, or the vault/env scope is wrong). | | Unauthorized — check EXTREME_TOKEN | Token expired or was revoked. | | Access denied | Token role (reader) is insufficient for the operation, or org subscription is inactive. | | Not found | Vault name, environment name, or secret name does not exist. |

Links