CLI Commands
npm install -g @rep-protocol/cli# ornpx @rep-protocol/cli [command]rep validate
Section titled “rep validate”Validate a .rep.yaml manifest against the JSON schema.
rep validate [--manifest <path>]| Flag | Default | Description |
|---|---|---|
-m, --manifest <path> | .rep.yaml | Path to manifest file |
Example:
$ rep validate --manifest .rep.yaml✓ Manifest is valid Version: 0.1.0 Variables: 11 total - PUBLIC: 6 - SENSITIVE: 3 - SERVER: 2 Settings configured: 6rep typegen
Section titled “rep typegen”Generate TypeScript type definitions from a manifest. Creates strongly-typed overloads for rep.get() and rep.getSecure().
rep typegen [--manifest <path>] [--output <path>]| Flag | Default | Description |
|---|---|---|
-m, --manifest <path> | .rep.yaml | Path to manifest file |
-o, --output <path> | src/rep.d.ts | Output path for generated types |
Generated output:
declare module "@rep-protocol/sdk" { export interface REP { get(key: "API_URL" | "FEATURE_FLAGS"): string | undefined; getSecure(key: "ANALYTICS_KEY"): Promise<string>; // ... other methods }}rep lint
Section titled “rep lint”Scan built JavaScript bundles for accidentally leaked secrets. Uses the same guardrail detection as the gateway (Shannon entropy, known secret formats).
rep lint [--dir <path>] [--pattern <glob>] [--exclude <patterns>] [--strict]| Flag | Default | Description |
|---|---|---|
-d, --dir <path> | ./dist | Directory to scan |
--pattern <glob> | **/*.{js,mjs,cjs} | File pattern to scan |
--exclude <patterns> | — | Comma-separated glob patterns to exclude (e.g., "*.min.js,vendor/**") |
--strict | false | Exit with error code if warnings found |
Minified code handling
Section titled “Minified code handling”The linter filters out false positives from minified/bundled code while still detecting real secrets embedded in your bundles.
File-level skip: Files with .min.js / .min.mjs / .min.cjs extensions are skipped entirely, as these are typically third-party vendor bundles. If your build pipeline produces application code with .min.js filenames, rename the output or run rep lint against the non-minified build.
String-level filtering: For all other files (including Vite, webpack, and Rollup bundles), extracted string values are checked for JavaScript language constructs (function, return, if, =>, ===, &&, .method(), key:value, etc.) and skipped if they look like compiled code. This means real secrets accidentally embedded in a bundle are still detected, while minified code noise is filtered out.
If you still get false positives, use --exclude to skip specific files or directories.
Example:
$ rep lint --dir ./dist⚠ dist/main.js high_entropy:42: value has high entropy (5.23 bits/char) — may be a secret const key = "sk_live_abc123..."
⚠ Found 1 potential secret(s) in 1 file(s)# Exclude vendor bundles$ rep lint --dir ./dist --exclude "vendor/**,*.chunk.js"Use cases:
- CI/CD pipeline step before deployment
- Pre-commit hook
- Regular audits of production bundles
rep dev
Section titled “rep dev”Run a local development server with the REP gateway. Loads env vars from a file and starts the gateway.
rep dev [options]| Flag | Default | Description |
|---|---|---|
-e, --env <path> | .env.local | Path to .env file |
-p, --port <number> | 8080 | Gateway port |
--proxy <url> | — | Upstream proxy URL (e.g., http://localhost:5173) |
--static <path> | — | Serve static files (embedded mode) |
--hot-reload | false | Enable hot reload |
--gateway-bin <path> | auto | Path to gateway binary |
Example workflows:
# Proxy mode with Viterep dev --env .env.local --proxy http://localhost:5173
# Embedded mode with static filesrep dev --env .env.local --static ./dist --port 8080Binary resolution
Section titled “Binary resolution”The CLI looks for the gateway binary in this order:
- Bundled binary (downloaded during
npm install) - Custom path via
--gateway-bin rep-gatewayin systemPATH