chore(deps): update devdependency @shelve/cli to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@shelve/cli (source)	4.2.0 → 5.0.1

---

Release Notes

HugoRCD/shelve (@​shelve/cli)

v5.0.1

Compare Source

Patch Changes

• #​734 d63f766 Thanks @​HugoRCD! - Add test coverage for the v5 additions — encrypted offline cache (roundtrip / TTL / token rotation / tampering), OS-keychain credentials with XDG file fallback and legacy ~/.shelve migration, agent-ignore files, shelve:// secret references, and parseDuration. Along the way, CredentialsService now creates $XDG_CONFIG_HOME on demand so writes no longer fail on freshly provisioned machines.

v5.0.0

Major Changes

• #​731 af6266e Thanks @​HugoRCD! - Make shelve run the default secret-injection path with offline support, secret references, watch mode, and AI-agent guards. Move CLI credentials to the OS keychain.

  OS keychain storage

  • The CLI now stores its API token in the OS keychain via @napi-rs/keyring (macOS Keychain, libsecret, Windows Credential Manager). The fallback file is XDG-compliant (~/.config/.shelve, mode 0600) and the legacy ~/.shelve is migrated automatically on first read.
  • rc9.readUser / rc9.writeUser are deprecated; we now use readUserConfig / writeUserConfig.
  • shelve logout clears both the keychain entry and the rc file.

  Encrypted offline cache

  • After every successful pull, shelve run writes an AES-256-GCM cache at ~/.shelve/cache/<sha256(team:project:env)>.json.enc, with the key derived from the API token via HKDF. Revoking the token makes the cache unreadable.
  • New flags: --offline (force cache, fail if absent), --no-cache (never read or write), --cache-ttl 24h (override freshness).
  • If the API call fails, shelve run transparently falls back to a fresh-enough cache and prints a warning instead of crashing.

  Secret references

  • shelve run --template .env.template resolves shelve://<team>/<project>/<env>/<KEY> references against the live or cached secrets, leaving literal values untouched. The template file can be safely committed to Git.

  Watch mode

  • shelve run --watch polls Shelve for variable changes and forwards SIGHUP to the child on update (let Vite/Nuxt/Next handle the reload). Use --restart-on-change to instead kill and respawn.

  AI-agent guards

  • New shelve init writes .cursorignore, .aiderignore, .codeiumignore, .continueignore, and a # shelve-managed-block in .gitignore to keep .env out of model contexts.
  • shelve pull now detects AI-agent environments via std-env (cursor, claude, devin, replit, gemini, codex, auggie, opencode, kiro, goose, pi) and prompts before writing plaintext secrets to disk (skip with --yes). Set AI_AGENT=<name> to force-detect.

• #​732 5e8bf14 Thanks @​HugoRCD! - Harden API token storage, switch CLI auth to Authorization: Bearer, and add scoped tokens.

  Breaking — token format and storage

  • Tokens are now generated with crypto.randomBytes(32) + Crockford base32 (no more Math.random) and stored as sha256(token) alongside a non-secret prefix. Plaintext is returned only at creation and never readable again. Existing tokens are invalidated by the migration — re-issue them after upgrading.
  • GET /api/tokens no longer returns plaintext token values; only prefix, name, scopes, expiresAt, lastUsedAt, lastUsedIp are exposed.
  • Lookup is now an O(1) hash query with timingSafeEqual instead of decrypting every token in a loop.

  Breaking — CLI authentication

  • The CLI sends Authorization: Bearer <token> instead of Cookie: authToken=…. The cookie path still works for one release window with Deprecation and Sunset response headers.

  New — scoped tokens

  • Tokens carry granular scopes: teamIds, projectIds, environmentIds, and permissions: ('read' | 'write')[]. Scopes are enforced server-side via requireTokenScope.
  • Tokens support an optional expiresAt and a CIDR allowedCidrs allowlist. lastUsedAt and lastUsedIp are written on each authenticated request.

  The token UI (/user/tokens and the create dialog) shows the prefix instead of the full token, displays scopes/expiry/last-used columns, and reveals the secret value only once at creation.

Patch Changes

• #​730 59d2bf3 Thanks @​HugoRCD! - Fix shelve run subprocess handling and add missing dependencies.

  • Switch from tinyexec + tree-kill to node:child_process.spawn with proper process-group signal forwarding (process.kill(-pid, signal) on POSIX). Resolves the long-standing childPid bug where signals were never propagated and child trees were left as zombies.
  • Drop the implicit npx fallback (~200 ms cold start, broken signals) and use the local node_modules/.bin/nr directly when shorthand commands like pnpm dev are passed.
  • Declare tinyexec and consola as direct dependencies of @shelve/cli. They were transitive-only before, so installs under npm/yarn/bun broke as soon as pnpm hoisting wasn't there to save the day.

• #​732 4c3fa8d Thanks @​HugoRCD! - Fix she_…undefined… tokens: the Crockford base32 alphabet was missing two
  symbols (only 30 chars instead of 32), so two random bits per token mapped to
  undefined and ended up baked into the literal token string. Switched to the
  standard 32-char Crockford alphabet (0-9 + A-Z minus I/L/O/U).

  Tokens generated before this fix (with undefined baked in) keep working —
  the hash is deterministic against whatever string was issued — but you should
  rotate them: they're shorter than advertised in entropy and noticeably ugly.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.83%. Comparing base (465fe56) to head (ad4819c).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #160   +/-   ##
=======================================
  Coverage   66.83%   66.83%           
=======================================
  Files          81       81           
  Lines        2023     2023           
  Branches      601      601           
=======================================
  Hits         1352     1352           
  Misses        534      534           
  Partials      137      137           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

Merging this PR will not alter performance

✅ 44 untouched benchmarks

---

_{Comparing renovate/shelve-cli-5.x (ad4819c) with main (465fe56)}