eric8810
diff --git a/‎docs/specs/v0.2/01-json-output.md‎
Lines changed: 192 additions & 0 deletions b/‎docs/specs/v0.2/01-json-output.md‎
Lines changed: 192 additions & 0 deletions
diff --git a/‎docs/specs/v0.2/02-env-command.md‎
Lines changed: 158 additions & 0 deletions b/‎docs/specs/v0.2/02-env-command.md‎
Lines changed: 158 additions & 0 deletions
@@ -0,0 +1,192 @@
+# 01 — JSON Output (`--json`)
+
+## Summary
+
+Add a `--json` flag to commands that produce output, so agents can parse responses reliably without scraping text.
+
+## Motivation
+
+Today, `authy get` outputs a raw string. `authy list` outputs one name per line. `authy session list` outputs a formatted table. None of these are machine-parseable without brittle string splitting. AI agents that call `authy` via bash need structured output to make decisions based on the result.
+
+## Current Behavior
+
+```
+$ authy get db-url
+postgresql://user:pass@host/db
+
+$ authy list
+api-key
+db-url
+github-token
+
+$ authy session list
+ID        SCOPE       STATUS   EXPIRES
+abc123    deploy      active   2h remaining
+def456    dev-agent   expired  —
+
+$ authy policy show deploy
+Name: deploy
+Allow: db-*, github-token
+Deny: prod-*
+Description: Deploy agent policy
+```
+
+## Proposed Behavior
+
+### Global `--json` flag
+
+Add `--json` as a global flag on the root `Cli` struct (clap). When present, all output-producing commands emit JSON to stdout.
+
+### Per-command output schemas
+
+**`authy get <name> --json`**
+
+```json
+{
+  "name": "db-url",
+  "value": "postgresql://user:pass@host/db",
+  "version": 3,
+  "created": "2026-02-10T08:30:00Z",
+  "modified": "2026-02-15T14:22:00Z"
+}
+```
+
+**`authy list --json`**
+
+```json
+{
+  "secrets": [
+    {
+      "name": "api-key",
+      "version": 1,
+      "created": "2026-02-10T08:30:00Z",
+      "modified": "2026-02-10T08:30:00Z"
+    },
+    {
+      "name": "db-url",
+      "version": 3,
+      "created": "2026-02-10T08:30:00Z",
+      "modified": "2026-02-15T14:22:00Z"
+    }
+  ]
+}
+```
+
+Note: `list --json` does NOT include secret values. Use `get` for values.
+
+**`authy policy show <name> --json`**
+
+```json
+{
+  "name": "deploy",
+  "allow": ["db-*", "github-token"],
+  "deny": ["prod-*"],
+  "description": "Deploy agent policy"
+}
+```
+
+**`authy policy list --json`**
+
+```json
+{
+  "policies": [
+    {
+      "name": "deploy",
+      "allow_count": 2,
+      "deny_count": 1,
+      "description": "Deploy agent policy"
+    }
+  ]
+}
+```
+
+**`authy policy test --scope <scope> <name> --json`**
+
+```json
+{
+  "secret": "db-url",
+  "scope": "deploy",
+  "allowed": true
+}
+```
+
+**`authy session list --json`**
+
+```json
+{
+  "sessions": [
+    {
+      "id": "abc123",
+      "scope": "deploy",
+      "label": "ci-deploy",
+      "status": "active",
+      "created": "2026-02-15T10:00:00Z",
+      "expires": "2026-02-15T18:00:00Z"
+    }
+  ]
+}
+```
+
+**`authy session create --json`**
+
+```json
+{
+  "token": "authy_v1.dGhpcyBpcyBhIDMyIGJ5dGUg...",
+  "session_id": "abc123",
+  "scope": "deploy",
+  "expires": "2026-02-15T18:00:00Z"
+}
+```
+
+**`authy audit show --json`**
+
+```json
+{
+  "entries": [
+    {
+      "timestamp": "2026-02-15T14:22:00Z",
+      "operation": "secret_read",
+      "secret": "db-url",
+      "actor": "token:abc123",
+      "outcome": "granted",
+      "detail": ""
+    }
+  ]
+}
+```
+
+### Commands NOT affected
+
+- `authy get` (without `--json`): unchanged, raw value to stdout
+- `authy run`: passthrough to child process, `--json` has no effect
+- `authy admin`: TUI, `--json` has no effect
+- `authy config show`: already TOML, `--json` could optionally emit JSON
+- `authy audit export`: already JSON, `--json` is redundant (no-op)
+
+### Error output with `--json`
+
+When `--json` is set and an error occurs, stderr emits a JSON error object instead of a plain message. See [06-structured-errors.md](06-structured-errors.md).
+
+## Interface
+
+```
+authy [--json] <command> [args...]
+```
+
+The `--json` flag is positional on the root parser, before the subcommand.
+
+## Edge Cases
+
+- `--json` + pipe to another command: works naturally (stdout is JSON)
+- `--json` + `authy get`: includes metadata (name, version, timestamps), not just raw value
+- `--json` + `authy run`: ignored silently (child process owns stdout)
+- `--json` + `authy admin`: ignored silently (TUI owns terminal)
+- Empty list results: return `{"secrets": []}`, not an error
+
+## Acceptance Criteria
+
+- [ ] `--json` flag available on root CLI
+- [ ] `get`, `list`, `policy show`, `policy list`, `policy test`, `session list`, `session create`, `audit show` all produce valid JSON when `--json` is set
+- [ ] JSON output goes to stdout; no diagnostic messages mixed in
+- [ ] Without `--json`, all commands behave identically to today
+- [ ] All JSON output is valid (parseable by `jq`)
@@ -0,0 +1,158 @@
+# 02 — Env Command (`authy env`)
+
+## Summary
+
+New `authy env` command that outputs scoped secrets as shell-sourceable environment variable declarations. The bridge between Authy's encrypted vault and the `export FOO=bar` world that every tool and agent already understands.
+
+## Motivation
+
+Today, `authy run --scope X -- cmd` spawns a child process with env vars injected. This works for launching a single process, but doesn't help when:
+
+1. A shell session needs multiple tools to see the same secrets
+2. A `SessionStart` hook needs to write env vars to `CLAUDE_ENV_FILE`
+3. A CI pipeline step needs to source secrets into the current shell
+4. A container entrypoint needs to set up the environment before exec
+
+`authy env` produces the text output that feeds these use cases. It's the composable building block — the output can be `eval`'d, appended to files, piped, or redirected.
+
+## Current Behavior
+
+No `authy env` command exists. The closest is `authy run`, which spawns a subprocess.
+
+## Proposed Behavior
+
+### Basic usage
+
+```bash
+$ authy env --scope deploy
+export DB_URL='postgresql://user:pass@host/db'
+export GITHUB_TOKEN='ghp_xxxxxxxxxxxx'
+```
+
+Output is `export KEY='VALUE'` format, one per line. Directly sourceable by bash/zsh.
+
+### Source it
+
+```bash
+eval "$(authy env --scope deploy)"
+# DB_URL and GITHUB_TOKEN are now in the current shell
+```
+
+### Write to a file
+
+```bash
+authy env --scope deploy >> "$CLAUDE_ENV_FILE"
+```
+
+### Flags
+
+```
+authy env --scope <SCOPE> [--uppercase] [--replace-dash <CHAR>] [--prefix <PREFIX>] [--format <FORMAT>] [--no-export]
+```
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--scope <SCOPE>` | required | Policy scope to filter secrets |
+| `--uppercase` | off | Convert secret names to UPPERCASE |
+| `--replace-dash <CHAR>` | none | Replace `-` in names with given character |
+| `--prefix <PREFIX>` | none | Prepend prefix to each variable name |
+| `--format <FORMAT>` | `shell` | Output format (see below) |
+| `--no-export` | off | Omit `export` keyword (just `KEY='VALUE'`) |
+
+These flags mirror `authy run` for consistency.
+
+### Output formats
+
+**`--format shell`** (default)
+
+```bash
+export DB_URL='postgresql://user:pass@host/db'
+export GITHUB_TOKEN='ghp_xxxxxxxxxxxx'
+```
+
+**`--format dotenv`**
+
+```
+DB_URL=postgresql://user:pass@host/db
+GITHUB_TOKEN=ghp_xxxxxxxxxxxx
+```
+
+Standard `.env` format (no `export`, no quoting unless value contains special chars). Values with spaces, `#`, or newlines are double-quoted.
+
+**`--format json`**
+
+```json
+{
+  "DB_URL": "postgresql://user:pass@host/db",
+  "GITHUB_TOKEN": "ghp_xxxxxxxxxxxx"
+}
+```
+
+Flat key-value JSON object.
+
+### Name transformation
+
+Transformation order: (1) replace-dash, (2) prefix, (3) uppercase.
+
+```bash
+$ authy env --scope deploy --uppercase --replace-dash _ --prefix AUTHY_
+export AUTHY_DB_URL='postgresql://user:pass@host/db'
+export AUTHY_GITHUB_TOKEN='ghp_xxxxxxxxxxxx'
+```
+
+This matches the existing `authy run` transformation behavior.
+
+### Authentication
+
+Supports all auth methods: passphrase, keyfile, session token. When using a session token, the token's scope is used and `--scope` is optional (defaults to token scope).
+
+## Edge Cases
+
+- Empty scope (no secrets match policy): output nothing, exit 0
+- Secret value contains single quotes: escape as `'\''` in shell format
+- Secret value contains newlines: use `$'...\n...'` quoting in shell format; `"..."` with `\n` in dotenv
+- `--scope` required unless using session token (which has implicit scope)
+- `--format json` ignores `--no-export` (not applicable)
+
+## Relationship to `authy run`
+
+`authy env` and `authy run` share the same policy evaluation and name transformation logic. Internally, `authy run` could be refactored to use the same secret-resolution code as `authy env`, then pass the result to `Command::envs()`.
+
+## Use Cases
+
+**Claude Code SessionStart hook:**
+```bash
+#!/bin/bash
+if [ -n "$CLAUDE_ENV_FILE" ]; then
+  authy env --scope claude-code --uppercase --replace-dash _ >> "$CLAUDE_ENV_FILE"
+fi
+```
+
+**Docker container entrypoint:**
+```bash
+#!/bin/bash
+eval "$(authy env --scope $AGENT_SCOPE --uppercase --replace-dash _)"
+exec "$@"
+```
+
+**CI pipeline step:**
+```bash
+eval "$(authy env --scope ci-deploy --uppercase --replace-dash _)"
+./deploy.sh
+```
+
+**Pipe to another tool:**
+```bash
+authy env --scope dev --format json | jq '.DB_URL'
+```
+
+## Acceptance Criteria
+
+- [ ] `authy env --scope <scope>` outputs shell-sourceable `export` statements
+- [ ] `--format shell`, `--format dotenv`, `--format json` all work
+- [ ] `--uppercase`, `--replace-dash`, `--prefix` transform names correctly
+- [ ] `--no-export` omits `export` keyword in shell format
+- [ ] Values with special characters are properly escaped per format
+- [ ] Empty result (no matching secrets) outputs nothing, exits 0
+- [ ] Works with all auth methods (passphrase, keyfile, token)
+- [ ] Audit log records the access (operation: `env_export`, lists scope)