Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.capy.sc/llms.txt

Use this file to discover all available pages before exploring further.

Synopsis

capy [options]

Description

The bare capy command is the main sync loop. It authenticates you (if needed), pulls the latest encrypted secrets from the service, diffs them against your local .env, and writes any changes back. On first run in a project, it interactively initializes the project - picking an org, creating a project, encrypting your existing .env, and writing keep.lock. See Syncing secrets for the full flow.

Options

FlagDescription
--env-path <path>Use a custom .env file location instead of the project root.
-v, --verboseEnable detailed logging. Useful when debugging sync issues.
-f, --forceRe-encrypt existing variables even if they appear unchanged.
-d, --dry-runPreview the sync without applying any changes.

Examples

# Sync secrets in the current project
capy

# Use a different .env file
capy --env-path config/.env.local

# Preview what a sync would do
capy --dry-run

# Force re-encryption of every variable
capy --force

First-run behavior

On first run (no keep.lock in the project), Capy:
  1. Authenticates you in the browser.
  2. Prompts for an organization (or creates one, which generates a seed phrase).
  3. Prompts for a project (or creates one).
  4. Creates a development branch.
  5. Encrypts every value in your .env and uploads the ciphertext.
  6. Rewrites .env with capy:… snippets and gitignores it.
  7. Writes a commented-out copy of your original .env to .env.pre-capy.old (gitignored).
  8. Installs post-checkout and post-merge git hooks, which run capy status after branch switches and merges.
  9. Commits only keep.lock to git (a small versioning manifest with no keys or plaintext).