PHP SDK

Guzzle-based PHP client for Bella Baxter. Laravel ServiceProvider and Symfony Bundle included.

Installation

composer require cosmic-chimps/bella-baxter

Quick Start

use BellaBaxter\BaxterClient;

$client = new BaxterClient(
    baxterUrl: $_ENV['BELLA_BAXTER_URL'],
    apiKey:    $_ENV['BELLA_BAXTER_API_KEY'],
);

$secrets = $client->getAllSecrets();
echo $secrets['DATABASE_URL'];

Laravel Integration

Register the BellaBaxterServiceProvider in config/app.php or via auto-discovery. Secrets are loaded at boot — env('DATABASE_URL') works everywhere.

// config/bella_baxter.php
return [
    'url'     => env('BELLA_BAXTER_URL'),
    'api_key' => env('BELLA_BAXTER_API_KEY'),
];

→ Full Laravel sample

Symfony Integration

# config/packages/bella_baxter.yaml
bella_baxter:
    url: '%env(BELLA_BAXTER_URL)%'
    api_key: '%env(BELLA_BAXTER_API_KEY)%'

Secrets are injected into $_ENV via a Kernel::REQUEST event subscriber before any controller runs.

→ Full Symfony sample

Zero-Knowledge Encryption (ZKE)

By default the SDK generates a fresh P-256 keypair per request (ephemeral E2EE). With ZKE you supply a persistent device key — the server audits which host fetched each secret and the SDK caches the wrapped DEK.

Generate your device key once:

bella auth setup   # stores in OS keychain; copy the printed PEM

Use it in your app:

use BellaBaxter\BaxterClient;
use BellaBaxter\BaxterClientOptions;

$client = new BaxterClient(new BaxterClientOptions(
    baxterUrl: $_ENV['BELLA_BAXTER_URL'],
    apiKey:    $_ENV['BELLA_BAXTER_API_KEY'],
    // Optional — reads BELLA_BAXTER_PRIVATE_KEY env var automatically
    privateKey: getenv('BELLA_BAXTER_PRIVATE_KEY') ?: null,
    onWrappedDekReceived: function(string $project, string $env, string $wrappedDek, ?string $leaseExpires) {
        error_log("DEK for {$project}/{$env} expires {$leaseExpires}");
    },
));

Laravel: just set the environment variable — the Service Provider reads BELLA_BAXTER_PRIVATE_KEY automatically via config/bella.php:

BELLA_BAXTER_PRIVATE_KEY="..."   # in .env or server environment

If the variable is not set the SDK falls back to ephemeral E2EE — fully backward-compatible.

Typed Secrets

bella secrets generate php

Generates a typed AppSecrets class. No more $_ENV['MY_SECRET'] magic strings.

→ Full typed secrets sample

All Samples

Sample	Pattern	Link
01-dotenv-file	bella pull → vlucas/phpdotenv	GitHub
02-process-inject	bella run -- php app.php	GitHub
03-laravel	BellaBaxterServiceProvider	GitHub
04-symfony	BellaBundle event subscriber	GitHub
05-typed-secrets	Generated typed AppSecrets class	GitHub