{"id":49558101,"url":"https://github.com/ptmaroct/kubera","last_synced_at":"2026-05-03T06:17:40.455Z","repository":{"id":355021760,"uuid":"1188205845","full_name":"ptmaroct/kubera","owner":"ptmaroct","description":"Native macOS menubar app for managing Infisical secrets — search, copy, edit, delete, all from your menubar","archived":false,"fork":false,"pushed_at":"2026-05-01T13:26:45.000Z","size":2844,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-01T14:19:31.330Z","etag":null,"topics":["developer-tools","infisical","macos","menubar","secret-management","secrets","swift","swiftui"],"latest_commit_sha":null,"homepage":null,"language":"Swift","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ptmaroct.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-21T18:58:20.000Z","updated_at":"2026-05-01T13:25:59.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ptmaroct/kubera","commit_stats":null,"previous_names":["ptmaroct/infiscal-macos"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/ptmaroct/kubera","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ptmaroct%2Fkubera","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ptmaroct%2Fkubera/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ptmaroct%2Fkubera/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ptmaroct%2Fkubera/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ptmaroct","download_url":"https://codeload.github.com/ptmaroct/kubera/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ptmaroct%2Fkubera/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32559760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T03:21:47.309Z","status":"ssl_error","status_checked_at":"2026-05-03T03:21:43.884Z","response_time":103,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["developer-tools","infisical","macos","menubar","secret-management","secrets","swift","swiftui"],"created_at":"2026-05-03T06:17:37.457Z","updated_at":"2026-05-03T06:17:40.430Z","avatar_url":"https://github.com/ptmaroct.png","language":"Swift","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubera\n\n\u003e *Keeper of secrets — named for the Vedic god of wealth.*\n\nA native macOS menubar app for quickly searching and managing secrets via the [Infisical](https://infisical.com) CLI.\n\n![macOS](https://img.shields.io/badge/macOS-13%2B-black?logo=apple)\n![Swift](https://img.shields.io/badge/Swift-5.9-orange?logo=swift)\n![License](https://img.shields.io/badge/License-MIT-blue)\n\n## Screenshots\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/menubar.png\" width=\"280\" alt=\"Menubar dropdown\" /\u003e\n  \u0026nbsp;\u0026nbsp;\n  \u003cimg src=\"assets/vault-locked.png\" width=\"280\" alt=\"Vault locked — Touch ID unlock\" /\u003e\n  \u0026nbsp;\u0026nbsp;\n  \u003cimg src=\"assets/settings.png\" width=\"280\" alt=\"Settings\" /\u003e\n\u003c/p\u003e\n\n## Features\n\n- **Menubar native** — lives in your system menubar as an NSMenu dropdown, no dock icon\n- **Instant search** — filter secrets by name as you type (local, zero-latency)\n- **One-click copy** — click any secret to copy its value, auto-clears clipboard after 30s\n- **View All Secrets** — full window with search, edit, delete, version numbers, and tags\n- **Add secrets** — create new secrets with tags and comments without leaving your menubar\n- **Edit \u0026 delete** — update secret values/comments or delete secrets from the View All window\n- **Version tracking** — see the current version number for each secret\n- **Tags display** — view tags on each secret\n- **Global shortcut** — `Cmd + Shift + K` toggles the menu from anywhere\n- **Direct dashboard link** — opens your project directly in the Infisical web dashboard\n- **CLI-powered** — uses your existing `infisical` CLI session, zero credential management\n- **Dark vault UI** — custom dark theme with amber accents and smooth animations\n\n## Install\n\n### One-liner (recommended)\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/ptmaroct/kubera/main/install.sh | bash\n```\n\nInstalls the Infisical CLI (via Homebrew) if missing, downloads the latest Kubera DMG, drops it into `/Applications`, and strips the macOS quarantine flag so the unsigned app launches cleanly.\n\n### Homebrew\n\n```bash\nbrew tap ptmaroct/kubera\nbrew install --cask kubera\n```\n\nThe cask declares `infisical` as a dependency, so the CLI is pulled in automatically.\n\n### Manual download\n\n1. Grab the latest `Kubera.dmg` from [Releases](https://github.com/ptmaroct/kubera/releases).\n2. Mount it and drag `Kubera.app` to `/Applications`.\n3. Because the build is currently unsigned, run this once to clear Gatekeeper's \"App is damaged\" warning:\n\n   ```bash\n   xattr -dr com.apple.quarantine /Applications/Kubera.app\n   ```\n\n4. Install the Infisical CLI separately: `brew install infisical`.\n\n### After install\n\n```bash\ninfisical login   # one-time auth\nopen -a Kubera    # or launch from Spotlight\n```\n\nIf you want the global `Cmd + Shift + K` hotkey: **System Settings → Privacy \u0026 Security → Accessibility → enable Kubera**.\n\n### Requirements\n\n- macOS 13 (Ventura) or later\n- [Infisical CLI](https://infisical.com/docs/cli/overview) (installed automatically by both quick-install paths)\n\n### Build from source\n\n```bash\nswift build\nbash scripts/bundle.sh\nopen build/Kubera.app\n```\n\n## First Launch\n\n1. App detects your Infisical CLI session automatically\n2. Select your project and environment from dropdowns\n3. Click **Connect** — secrets appear in the menubar menu\n\n## Usage\n\n| Action | How |\n|--------|-----|\n| Open menu | Click the key icon in menubar, or `Cmd + Shift + K` |\n| Search | Type in the search field at the top of the menu |\n| Copy secret | Click any secret name — value is copied to clipboard |\n| View all secrets | Menu → View All Secrets (`Cmd + L`) |\n| Edit/delete secret | Open View All, use the pencil or trash icons per row |\n| Add secret | Menu → Add New Secret (`Cmd + N`) |\n| Open dashboard | Menu → Open Infisical Dashboard (`Cmd + D`) |\n| Settings | Menu → Settings (`Cmd + ,`) |\n\nClipboard auto-clears after 30 seconds for security.\n\n## CLI\n\nKubera also ships a `kubera` command-line tool that reads the same project/env config you set in the menubar app (`~/.config/kubera/config.json`). Both `install.sh` and the Homebrew cask drop a symlink onto your `$PATH`, so after install:\n\n| Command | Action |\n|---------|--------|\n| `kubera status` | Login state + configured project/env/base URL |\n| `kubera login` / `kubera logout` | Sign in / out via the bundled `infisical` flow |\n| `kubera config show` | Print resolved config (`--json` for machine-readable) |\n| `kubera config set --project \u003cid\u003e --env dev --path / --base-url \u003curl\u003e` | Update fields (also writable from the GUI) |\n| `kubera config clear` | Wipe `~/.config/kubera/config.json` |\n| `kubera projects` | List projects you can access (`--json`) |\n| `kubera envs` | Envs in the configured project |\n| `kubera ls` | List secret keys (no values by default; `--values`, `--json`, `--tag \u003cslug\u003e`) |\n| `kubera get \u003cKEY\u003e` | Print one value to stdout |\n| `kubera copy \u003cKEY\u003e` | Copy to clipboard via `pbcopy` |\n| `kubera info \u003cKEY\u003e` | Full metadata: version, comment, tags, expiry, service URL |\n| `kubera set \u003cKEY\u003e \u003cVALUE\u003e` | Upsert (create or update). `\u003cVALUE\u003e` of `-` reads from stdin. `--comment`, `--tag \u003cid\u003e` |\n| `kubera rm \u003cKEY\u003e [--force]` | Delete, with confirm prompt unless forced |\n| `kubera export --format dotenv\\|json\\|shell` | Dump every secret in the chosen format |\n| `kubera export --format kubera --output \u003cfile\u003e` | Encrypted backup archive (AES-256-GCM, PBKDF2-SHA256). Prompts for a password |\n| `kubera import \u003cfile.kubera\u003e [--overwrite] [--dry-run]` | Restore from an encrypted backup into the active backend |\n| `kubera run -- \u003ccmd\u003e [args…]` | Inject secrets as env vars and exec the subcommand (`kubera run -- npm run dev`) |\n| `kubera tags` / `kubera tags create \u003cname\u003e` | List or create tags |\n| `kubera open` / `kubera open --dashboard` | Launch the macOS app or the Infisical web dashboard |\n\n`kubera --help` covers the full surface. Most read commands accept `--json` for piping into `jq`. When the menu is in **All Environments** mode, set a default env in **Settings → Default for Add** so writes (`set`, `rm`) and the Add Secret form know which env to target — the CLI honors this fallback automatically.\n\n## Claude Code skill\n\nA [`SKILL.md`](./SKILL.md) at the repo root teaches Claude Code (and other agents that use the [vercel-labs/skills](https://github.com/vercel-labs/skills) loader) how to drive the `kubera` CLI safely — preflight checks, when to use `copy`/`run` vs `get`, recipes for `.env` bootstrap and key rotation.\n\nInstall it into your project (or globally) with the `skills` npm package:\n\n```bash\n# project-scoped — commits .claude/skills/kubera/ into the repo\nnpx skills add ptmaroct/kubera --agent claude-code\n\n# global, for all projects on this machine\nnpx skills add ptmaroct/kubera --agent claude-code --scope user\n```\n\nThe skill assumes the `kubera` binary is on `$PATH`. If it isn't yet, run the curl installer or `brew install --cask kubera` first.\n\n## Project Structure\n\nThree SwiftPM targets share a single core library:\n\n```\nKuberaCore/                   # Library: shared types + Infisical service\n├── Models/\n│   ├── Secret.swift              # SecretItem, SecretTag, SecretMetadata*\n│   ├── AppConfiguration.swift    # File-backed config (~/.config/kubera/config.json)\n│   └── APIModels.swift\n└── Services/\n    └── InfisicalCLIService.swift # REST API + CLI session helpers\n\nKubera/                       # GUI executable (KuberaApp target)\n├── KuberaApp.swift, AppDelegate.swift\n├── Models/{AppConfiguration+Shortcut, DockVisibilityPreference, ExpiryNotificationSettings}\n├── Services/{TouchIDService, ClipboardService, ProjectCache, ExpiryNotificationScheduler}\n├── ViewModels/, Views/, Utilities/\n\nKuberaCLI/                    # CLI executable (kubera binary)\n├── KuberaCLI.swift, Helpers.swift\n└── Commands/{Status, Login, Config, Projects, Secrets}.swift\n```\n\n## Troubleshooting\n\n**\"Kubera is damaged and can't be opened\"** — the build is unsigned. Run:\n\n```bash\nxattr -dr com.apple.quarantine /Applications/Kubera.app\n```\n\nThe curl and Homebrew installers do this automatically; you only need it for manual DMG installs.\n\n**Settings stuck on \"Loading…\"** — your Infisical CLI session is missing or expired. Run `infisical login` and reopen Settings.\n\n**Global hotkey (`Cmd + Shift + K`) does nothing** — grant Accessibility access in **System Settings → Privacy \u0026 Security → Accessibility**.\n\n**Custom Infisical instance (EU / self-hosted)** — set the CLI domain first:\n\n```bash\ninfisical login --domain https://eu.infisical.com   # or your self-hosted URL\n```\n\n## Encrypted backup \u0026 restore\n\n`kubera export --format=kubera` writes a single-file backup archive: AES-256-GCM ciphertext over a JSON dump of the visible secrets, with a 256-bit key derived from your password via PBKDF2-SHA256 (524,288 rounds). The archive carries each secret's environment, project, and path so a restore lands in the right namespace.\n\n```bash\nkubera export --format=kubera --output ~/Desktop/kubera-backup.kubera   # prompts for password twice\nkubera import ~/Desktop/kubera-backup.kubera                            # prompts once\n```\n\nPair `--dry-run` with import to preview, and `--overwrite` to update existing secrets that share `(project, env, path, key)`. The archive format is documented in `KuberaCore/Services/LocalCrypto.swift` (`BackupArchive`).\n\n\u003e Phase 2 (v1.5.1-beta.2) wires the GUI through the `SecretStore` protocol so picking **On this Mac** in onboarding gives you a fully local, encrypted vault — no Infisical account required. Settings → Storage exposes Backup… / Restore… buttons that drive the same encrypted archive flow.\n\n## Why is the macOS sandbox disabled?\n\nKubera spawns the local `infisical` binary as a subprocess to talk to your account. The macOS app sandbox blocks arbitrary subprocess execution, so it's explicitly disabled in `Kubera.entitlements`. Nothing leaves your machine — Kubera only talks to Infisical through your already-authenticated CLI session.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fptmaroct%2Fkubera","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fptmaroct%2Fkubera","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fptmaroct%2Fkubera/lists"}