Node v0.1.0-alpha.3 — Operational ergonomics

Operational ergonomics release. No wire-format changes: files sealed by previous 0.1.0-alpha.x versions decrypt cleanly on 0.1.0-alpha.3 and vice versa.

Cross-stack with Java v0.1.0-alpha.3 (tag java-v0.1.0-alpha.3).

Added

• sealed-env get <file> <KEY> — print one variable's value to stdout. Composable: STRIPE_KEY=$(sealed-env get .env.sealed STRIPE_KEY).
• sealed-env set <file> <KEY> <VALUE> — update or add a single variable and re-seal in place. Comments and key order preserved. Backs up to <file>.bak.
• sealed-env edit <file> — opens $EDITOR with plaintext for in-place editing. Temp file in /dev/shm (RAM-backed) on Linux. Mode 0600, zeroed and unlinked on exit (incl. SIGINT/SIGTERM).
• sealed-env diff <old> <new> — show added / removed / changed keys. Values hidden by default; pass --show-values to reveal.
• init --mode enterprise now renders a scannable QR code for the TOTP otpauth:// URI. Point Google Authenticator / Authy / 1Password / Bitwarden at the screen.

Documentation

• New docs/07-operational-guide.md — for sysadmins, managers, founders. No code required.
• New docs/08-cicd-recipes.md — copy-paste recipes for GitHub Actions, GitLab CI, AWS, GCP, Vercel, Docker, Kubernetes, and more.

Dependencies

• New runtime dep: qrcode-terminal@0.12.0 — pure JS, zero transitive deps, MIT, ~80 KB. Used only by init --mode enterprise.

Fixed

• Smoke test tampered HMAC is rejected had a ~1/64 chance of silently passing. Now picks a guaranteed-different replacement byte.

---

Full changelog: CHANGELOG.md