Enkryptify · SiebeBaree · May 21, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "@enkryptify/cli",
-    "version": "0.3.5",
+    "version": "0.4.0",
     "bin": {
         "ek": "./dist/cli.js"
     },

diff --git a/src/api/auth.ts b/src/api/auth.ts
@@ -2,7 +2,7 @@ import { env } from "@/env";
 import { config as configManager } from "@/lib/config";
 import { CLIError } from "@/lib/errors";
 import { logger } from "@/lib/logger";
-import { keyring } from "@/lib/keyring";
+import { secureStore } from "@/lib/secureStore";
 import http from "@/api/httpClient";
 import { createHash, randomBytes } from "crypto";
 import open from "open";
@@ -28,18 +28,11 @@ type AuthResponse = {
     expiresIn: number;
 };
 
-type StoredAuthData = {
-    accessToken: string;
-    userId: string;
-    email: string;
-};
-
 function base64Url(buf: Buffer) {
     return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+/g, "");
 }
 
 export class Auth {
-    private readonly KEYRING_KEY = "enkryptify";
     private readonly CLIENT_ID = "enkryptify-cli";
     private readonly REDIRECT_URL = "http://localhost:51823/callback";
     private readonly CALLBACK_PORT = 51823;
@@ -58,7 +51,7 @@ export class Auth {
 
         if (envToken) {
             if (options?.force) {
-                await keyring.delete(this.KEYRING_KEY);
+                await secureStore.clearAll();
             } else {
                 const isAuth = await this.getUserInfo(envToken).catch(() => false);
                 if (isAuth) {
@@ -69,7 +62,7 @@ export class Auth {
                     await configManager.markAuthenticated();
                     return;
                 } else {
-                    await keyring.delete(this.KEYRING_KEY);
+                    await secureStore.clearAll();
                 }
             }
         }
@@ -374,14 +367,11 @@ h1{font-size:18px;font-weight:600;color:#e4e8ec;letter-spacing:-.01em;margin:0}
     }
 
     private async markAuthenticated(accessToken: string, user: UserInfo): Promise<void> {
-        await keyring.set(
-            this.KEYRING_KEY,
-            JSON.stringify({
-                accessToken,
-                userId: user.id,
-                email: user.email,
-            }),
-        );
+        await secureStore.setAuth({
+            accessToken,
+            userId: user.id,
+            email: user.email,
+        });
 
         await configManager.markAuthenticated();
     }
@@ -410,21 +400,11 @@ h1{font-size:18px;font-weight:600;color:#e4e8ec;letter-spacing:-.01em;margin:0}
     }
 
     async getCredentials(): Promise<Credentials> {
-        const authDataString = await keyring.get(this.KEYRING_KEY);
-        if (!authDataString) {
+        const authData = await secureStore.getAuth();
+        if (!authData?.accessToken) {
             throw CLIError.from("AUTH_NOT_LOGGED_IN");
         }
 
-        try {
-            const authData = JSON.parse(authDataString) as StoredAuthData;
-            if (!authData || !authData.accessToken) {
-                throw CLIError.from("AUTH_NOT_LOGGED_IN");
-            }
-            return { accessToken: authData.accessToken };
-        } catch (error: unknown) {
-            if (error instanceof CLIError) throw error;
-            logger.debug(error instanceof Error ? error.message : String(error));
-            throw CLIError.from("AUTH_NOT_LOGGED_IN");
-        }
+        return { accessToken: authData.accessToken };
     }
 }
diff --git a/src/api/client.ts b/src/api/client.ts
@@ -1,4 +1,4 @@
-import { type ProjectConfig, config } from "@/lib/config";
+import { type ConfigureScope, type ProjectConfig, config } from "@/lib/config";
 import { CLIError } from "@/lib/errors";
 import { logger } from "@/lib/logger";
 import { getSecureInput, getTextInput } from "@/lib/input";
@@ -98,8 +98,8 @@ class EnkryptifyClient {
         await this.auth.login(options);
     }
 
-    async configure(options: string): Promise<ProjectConfig> {
-        const setup = await config.getConfigure(options);
+    async configure(options: string, configureOptions?: { scope?: ConfigureScope }): Promise<ProjectConfig> {
+        const setup = await config.getConfigure(options, configureOptions);
         if (setup) {
             const overwrite = await confirm("Setup already exists. Overwrite?");
             if (!overwrite) {

diff --git a/src/cli.ts b/src/cli.ts
@@ -43,7 +43,8 @@ if (isCompletion) {
 }
 
 setupTerminalCleanup();
-await analytics.init();
+// "scan" needs no authentication, so skip the keychain lookup to avoid a password prompt.
+await analytics.init({ skipAuthLookup: process.argv[2] === "scan" });
 
 const isUpgrade = process.argv[2] === "upgrade";
 if (!isCompletion && !isUpgrade) {

diff --git a/src/cmd/configure.ts b/src/cmd/configure.ts
@@ -1,21 +1,49 @@
-import { config } from "@/lib/config";
+import { type ConfigureScope, config } from "@/lib/config";
 import { analytics } from "@/lib/analytics";
 import { CLIError } from "@/lib/errors";
+import { getGitRepoInfo } from "@/lib/git";
 import { logger } from "@/lib/logger";
 import { client } from "@/api/client";
+import { selectName } from "@/ui/SelectItem";
 import type { Command } from "commander";
 
-export async function configure(): Promise<Record<string, string>> {
+type ConfigureCommandOptions = {
+    git?: boolean;
+};
+
+const GIT_SCOPE_LABEL = "Git repository (recommended)";
+const PATH_SCOPE_LABEL = "This path only";
+
+async function resolveConfigureScope(projectPath: string, options: ConfigureCommandOptions): Promise<ConfigureScope> {
+    if (options.git) {
+        return "git";
+    }
+
+    const gitRepo = await getGitRepoInfo(projectPath);
+    if (!gitRepo) {
+        return "path";
+    }
+
+    const selectedScope = await selectName(
+        [GIT_SCOPE_LABEL, PATH_SCOPE_LABEL],
+        "Connect this setup to this path or to the Git repository?",
+    );
+
+    return selectedScope === PATH_SCOPE_LABEL ? "path" : "git";
+}
+
+export async function configure(options: ConfigureCommandOptions = {}): Promise<Record<string, string>> {
     const authenticated = await config.isAuthenticated();
     if (!authenticated) {
         throw CLIError.from("AUTH_NOT_LOGGED_IN");
     }
 
     const projectPath = process.cwd();
+    const scope = await resolveConfigureScope(projectPath, options);
 
-    const projectConfig = await client.configure(projectPath);
+    const projectConfig = await client.configure(projectPath, { scope });
 
-    await config.createConfigure(projectPath, projectConfig);
+    await config.createConfigure(projectPath, projectConfig, { scope });
 
     return projectConfig;
 }
@@ -25,11 +53,12 @@ export function registerConfigureCommand(program: Command) {
         .command("configure")
         .alias("setup")
         .description("The configure command is used to set up a project with Enkryptify.")
-        .action(async () => {
+        .option("--git", "Connect this setup to the current Git repository instead of only this path")
+        .action(async (options: ConfigureCommandOptions) => {
             const tracker = analytics.trackCommand("command_configure");
 
             try {
-                const projectConfig = await configure();
+                const projectConfig = await configure(options);
                 tracker.success({
                     workspace_slug: projectConfig.workspace_slug,
                 });

diff --git a/src/cmd/index.ts b/src/cmd/index.ts
@@ -6,6 +6,7 @@ import { registerLoginCommand } from "@/cmd/login";
 import { registerLogoutCommand } from "@/cmd/logout";
 import { registerRunCommand } from "@/cmd/run";
 import { registerRunFileCommand } from "@/cmd/run-file";
+import { registerScanCommand } from "@/cmd/scan";
 import { registerSdkCommand } from "@/cmd/sdk";
 import { registerUpdateCommand } from "@/cmd/update";
 import { registerUpgradeCommand } from "@/cmd/upgrade";
@@ -17,6 +18,7 @@ export function registerCommands(program: Command) {
     registerLogoutCommand(program);
     registerWhoamiCommand(program);
     registerConfigureCommand(program);
+    registerScanCommand(program);
     registerRunCommand(program);
     registerRunFileCommand(program);
     registerSdkCommand(program);

diff --git a/src/cmd/login.ts b/src/cmd/login.ts
@@ -1,6 +1,6 @@
 import { analytics } from "@/lib/analytics";
 import { logger } from "@/lib/logger";
-import { keyring } from "@/lib/keyring";
+import { secureStore } from "@/lib/secureStore";
 import { Auth } from "@/api/auth";
 import { config as configManager } from "@/lib/config";
 import { LoginFlow } from "@/ui/LoginFlow";
@@ -21,25 +21,18 @@ export function registerLoginCommand(program: Command) {
             // when the user is already logged in.
             if (!options?.force) {
                 try {
-                    const authDataString = await keyring.get("enkryptify");
-                    if (authDataString) {
-                        const authData = JSON.parse(authDataString) as {
-                            accessToken: string;
-                            userId: string;
-                            email: string;
-                        };
-                        if (authData.accessToken) {
-                            // Verify the token is still valid
-                            const auth = new Auth();
-                            const userInfo = await auth.getUserInfo(authData.accessToken).catch(() => null);
-                            if (userInfo) {
-                                logger.info(
-                                    'Already logged in. Use "ek login --force" to re-authenticate with a different account.',
-                                );
-                                await configManager.markAuthenticated();
-                                tracker.success();
-                                return;
-                            }
+                    const authData = await secureStore.getAuth();
+                    if (authData?.accessToken) {
+                        // Verify the token is still valid
+                        const auth = new Auth();
+                        const userInfo = await auth.getUserInfo(authData.accessToken).catch(() => null);
+                        if (userInfo) {
+                            logger.info(
+                                'Already logged in. Use "ek login --force" to re-authenticate with a different account.',
+                            );
+                            await configManager.markAuthenticated();
+                            tracker.success();
+                            return;
                         }
                     }
                 } catch {
@@ -59,15 +52,9 @@ export function registerLoginCommand(program: Command) {
                 onComplete: async () => {
                     // Identify user in analytics after successful login
                     try {
-                        const authDataString = await keyring.get("enkryptify");
-                        if (authDataString) {
-                            const authData = JSON.parse(authDataString) as {
-                                userId: string;
-                                email: string;
-                            };
-                            if (authData.userId && authData.email) {
-                                analytics.identify(authData.userId, authData.email);
-                            }
+                        const authData = await secureStore.getAuth();
+                        if (authData) {
+                            analytics.identify(authData.userId, authData.email);
                         }
                     } catch {
                         // Best-effort

diff --git a/src/cmd/logout.ts b/src/cmd/logout.ts
@@ -1,8 +1,8 @@
 import http from "@/api/httpClient";
 import { analytics } from "@/lib/analytics";
 import { config as configManager } from "@/lib/config";
-import { keyring } from "@/lib/keyring";
 import { logger } from "@/lib/logger";
+import { secureStore } from "@/lib/secureStore";
 import type { Command } from "commander";
 
 export function registerLogoutCommand(program: Command) {
@@ -13,8 +13,8 @@ export function registerLogoutCommand(program: Command) {
             const tracker = analytics.trackCommand("command_logout");
 
             try {
-                const authDataString = await keyring.get("enkryptify");
-                if (!authDataString) {
+                const authData = await secureStore.getAuth();
+                if (!authData?.accessToken) {
                     logger.info("You are not logged in.");
                     tracker.success();
                     return;
@@ -30,7 +30,7 @@ export function registerLogoutCommand(program: Command) {
                     logger.debug(revokeError instanceof Error ? revokeError.message : String(revokeError));
                 }
 
-                await keyring.delete("enkryptify");
+                await secureStore.clearAll();
                 await configManager.clearAuthentication();
                 logger.info("Successfully logged out.");
                 tracker.success();