Search

Lib.rs

› Configuration | Cryptography
#scylla #daemon #secret

app ww

A Doppler-like secret manager built on ScyllaDB, with a background daemon and a CLI for injecting environment variables into processes

by Akzestia

  • Install
  • GitHub (akzestia)
  • Home (zed.dev)

1 stable release

Uses new Rust 2024

1.0.0 Aug 22, 2025

#1695 in Configuration

MIT license

35KB
512 lines

ww — Scylla‑backed secrets daemon + CLI

ww is a Doppler‑like secret manager built on ScyllaDB. It runs a background daemon that talks to Scylla and exposes project secrets over a local Unix socket. The companion CLI can inject environment variables into commands, download them in multiple formats, or update individual keys.

✨ Features

  • 🔑 Store project secrets in ScyllaDB (map<text,text> column)
  • 📡 Local daemon with Unix socket protocol
  • 🛠 CLI with familiar commands: run, secrets, set-env, client
  • 🌐 Path‑to‑project bindings (~/.config/ww/config.toml)
  • 📄 Export secrets as .env, JSON, or YAML
  • 🔒 Socket permissions default to 0600

🚀 Quick Start

1. Start the daemon

ww serve --node 127.0.0.1:9042 --user cassandra --pass cassandra

2. Bind your repo to a project

cd /path/to/repo
ww client setup my_project

3. Set a secret

ww set-env --name API_KEY --val abc123

4. Run your app with secrets injected

ww node app.js

🔧 CLI Overview

USAGE:
    ww <COMMAND>

COMMANDS:
    serve       Start the daemon server
    run         Run a command with env vars injected
    secrets     Download or read secrets
    set-env     Upsert a single secret
    client      Manage global client config

Examples

  • Show current project resolution:

    ww client which

  • Download secrets to .env file:

    ww secrets download --format env --output .env

  • Fetch a single secret:

    ww secrets get --name API_KEY --plain

  • Run any command, injecting resolved project secrets:

    ww npm run dev

⚙️ Client Config

Location: ~/.config/ww/config.toml

default_project = "demo_project"

[[paths]]
dir = "/abs/path/to/repo"
project = "my_project"

Resolution order:

  1. --project flag (explicit)
  2. WW_PROJECT environment variable
  3. Path binding from config
  4. default_project

📡 Socket Protocol

The daemon speaks a simple line protocol over a Unix socket:

  • QUERY_PROJECTS:<project>\n → KEY=VALUE\n...
  • ENSURE_PROJECT:<project>\n → OK\n or ERROR:...
  • SET_ENV:<project>:<key>=<value>\n → OK\n or ERROR:...

Socket path defaults to /tmp/ww.sock.

🔐 Security Notes

  • Socket is 0600 (owner read/write only)
  • Assumes local single‑user trust; no encryption/auth on socket
  • Use --plain only when piping into secure sinks

🛠 Development

Build

cargo build --release

Test

cargo test

Install locally

cargo install --path .

📜 License

Licensed under MIT.

Dependencies

~17–31MB
~353K SLoC

  • anyhow
  • clap+derive
  • dirs 6.0
  • scylla 1.3
  • serde+derive
  • serde_json
  • serde_yaml 0.9.34
  • tokio+full
  • toml 0.9.5
Related: cql_lsp
See also: scylla, scylla-cql, charybdis, scylla-proxy, cqlsh-rs, secrecy, oo7, puff, redact, scylla-cdc, seella

Lib.rs is an unofficial list of Rust/Cargo crates, created by kornelski. It contains data from multiple sources, including heuristics, and manually curated data. Content of this page is not necessarily endorsed by the authors of the crate. This site is not affiliated with nor endorsed by the Rust Project. If something is missing or incorrect, please file a bug.