v0.3.0 — Selective encryption, get/set, and key rotation
Features
Selective encryption — Leave chosen variables readable in committed .env.enc files while sealing secrets.
dotseal encrypt --plain-key …/--plain-key-regex …and the same flags onedit- Plaintext policy is stored in the file footer (
plain_keys,plain_re) and preserved on re-encrypt/rotate - Docs updated in
USAGE.md,FILE_FORMAT.md, andKEY_MANAGEMENT.md
Get and set individual values — Read or update one variable without decrypting the whole file to disk.
dotseal get KEY(optional default when missing)dotseal set KEY VALUEget_value()/set_value()in the Python API;KeyNotFoundErrorfor missing keys
Key rotation — Re-encrypt existing files under new key material while preserving plaintext policy.
dotseal rotate --new-key-file …(symmetric) or--new-private-key-file …(asymmetric)rotate_text()/rotate_text_asymmetric()in the Python API
Improvements
- CodeQL analysis for Python and TypeScript
- Core helpers centralized (
write_secret_file,VALID_KEY_RE, upward key lookup,already_encrypted_keys) - Duplicate env keys:
getuses the last matching entry - Stricter validation for variable names and master key base64
KeyNotFoundErrornow inherits fromKeyError
Notes
- Selective encryption is for non-secrets only — plaintext values remain visible in git history.
- VS Code / Cursor extension: use
ext-v0.1.2or later for matching selective-encryption behavior when creating new encrypted files from the editor.