rx replaces .env files with a cloud-based secrets manager you self-host.
Prefix commands with rx run — secrets inject as env vars, never written to disk, redacted from output.12345# before source .env && next dev # after rx run -- next dev
~/.local/bin):1curl -fsSL https://env.roosterx.vn/install.sh | bash
123456git clone <repo> cd cli pnpm install pnpm build:zig cp zig-out/bin/rx ~/.local/bin/rx codesign --force --sign - ~/.local/bin/rx # macOS only
12345678# 1. Login to your self-hosted instance rx login --api-url https://env.roosterx.vn # 2. Pick project + env for this directory rx setup # 3. Run app with secrets injected rx run -- next dev
* in stdout/stderrrx run-c prodrx login123rx login # interactive device flow rx login --api-url https://env.roosterx.vn # custom instance rx login --token sig_xxx # save existing token
rx setup~/.rx/config.json, not in repo):12rx setup # interactive picker rx setup --project proj_abc --env dev # non-interactive
rx run12345rx run -- next dev # from setup config rx run -c dev -- next dev # explicit env rx run --command 'echo $MY_SECRET' # shell string rx run --mount .env -- npm start # write to file, clean up on exit rx run --disable-redaction -- ./script.sh # opt out of redaction
&&, pipes, $VAR) require --command:12345# wrong: parent shell expands $VAR before rx starts rx run --command "psql $DATABASE_URL -c 'select 1'" # right: $VAR expands inside rx's child shell rx run --command 'psql $DATABASE_URL -c "select 1"'
rx secrets1234567rx secrets # list names rx secrets get DATABASE_URL # get value rx secrets set API_KEY sk-live-xxx # set rx secrets set CERT < cert.pem # from stdin rx secrets delete OLD_KEY # delete rx secrets download --format json # bulk export rx secrets download --format env > .env.prod # export as .env
rx projects / rx environments12rx projects create --org org_id --name my-app rx environments create --project proj_id --name Staging --slug staging
--format flag for secrets download: json, env, yaml, docker, dotnet-json, xargs.| Flag | Env var | Description |
--token <sig_xxx> | RX_TOKEN | Bearer token for auth |
--api-url <url> | RX_API_URL | API endpoint |
-c <slug> / --env <slug> | RX_ENVIRONMENT | Environment slug |
-p <id> / --project <id> | RX_PROJECT | Project ID |
1rx secrets download -c prod --format env | wrangler secret bulk --env prod /dev/stdin
1234567- name: Build with secrets env: RX_TOKEN: ${{ secrets.RX_TOKEN }} RX_PROJECT: ${{ vars.RX_PROJECT }} RX_ENVIRONMENT: production run: | npx rx run -- next build
12rx secrets download --format docker > .env.docker docker run --env-file .env.docker my-image
12git clone <repo> cd rx && pnpm install
12345echo "BETTER_AUTH_SECRET=$(openssl rand -base64 32)" > app/.dev.vars pnpm --dir app dev # local pnpm --dir app deployment # deploy preview pnpm --dir app deployment:prod # deploy production
auth.sigillo.dev by default (no Google OAuth needed).1234567echo "BETTER_AUTH_SECRET=$(openssl rand -base64 32)" > provider/.dev.vars echo "GOOGLE_CLIENT_ID=..." >> provider/.dev.vars echo "GOOGLE_CLIENT_SECRET=..." >> provider/.dev.vars pnpm --dir provider dev pnpm --dir provider deployment pnpm --dir provider deployment:prod
PROVIDER_URL in app/wrangler.jsonc and redeploy app.1234567891011121314Your Machine Cloudflare ───────────────── ────────────────────── rx run -- next dev ───► App Worker (your secrets) │ • Secrets CRUD │ device flow login • AES-256-GCM encrypt │ or bearer token • Audit log ▼ • API tokens CLI (Zig binary) • Web UI • D1 database │ Provider Worker (auth.sigillo.dev) • Google login • OAuth2 / PKCE • Dynamic client registration
ENCRYPTION_KEY env var, or derived from BETTER_AUTH_SECRET via SHA-256./api/openapi.json on your self-hosted instance.123456789# list secrets curl -H "Authorization: Bearer sig_xxx" \ https://your-instance/api/environments/{envId}/secrets # bulk set curl -X PUT -H "Authorization: Bearer sig_xxx" \ -H "Content-Type: application/json" \ -d '{"secrets": {"KEY1": "val1"}}' \ https://your-instance/api/v0/projects/{projId}/environments/{envId}/secrets