Skip to content

Node v0.1.0-alpha.7 — exec enterprise + deploy + OS keychain

Pre-release
Pre-release

Choose a tag to compare

View all tags
@davidalmeidac davidalmeidac released this 07 May 19:44
· 85 commits to main since this release
node-v0.1.0-alpha.7
fc8f215

Operator ergonomics + hardened key storage. No wire-format changes — files sealed by 0.1.0-alpha.{4,5,6} decrypt cleanly on 0.1.0-alpha.7.

Three new operator features

1. sealed-env exec now handles enterprise mode

When the file is enterprise, exec mints the unseal token IN MEMORY (prompting for TOTP if not provided via --totp), uses it to decrypt, and injects only the resulting plaintext env vars into the child process. Master/signing/TOTP/token are stripped from the child's environment.

sealed-env exec --file .env.sealed --deploy-id $(git rev-parse HEAD) \
  -- docker compose up -d --build status

2. sealed-env deploy [-- <command>]

Production deploy wrapper. Auto-detects deploy_id from git rev-parse HEAD, refuses to run with a dirty tree (uncommitted changes wouldn't be in the build), optionally polls a health URL after.

sealed-env deploy \
  --health-url http://127.0.0.1:8090/actuator/health \
  -- docker compose up -d --build status

Replaces the standard hand-rolled 130-line deploy.sh with one command.

3. sealed-env keychain push/pull/status/clear

OS-native encrypted storage for SEALED_ENV_* secrets. Cross-platform via shell-out, no native deps:

  • Windows: DPAPI (per-user encrypted blob)
  • macOS: security CLI (system Keychain)
  • Linux: secret-tool (libsecret / GNOME Keyring / KWallet)

After keychain push, the auto-loader prefers the keychain over .env.local. Status prints SHA-256 fingerprints per entry (no values), safe for logs.

sealed-env keychain push   # move .env.local → keychain
rm .env.local              # plaintext copy gone
sealed-env doctor .env.sealed
# (loaded 3 SEALED_ENV_* vars from OS keychain)
# ✓ All checks passed

Plus

  • sealed-env unseal --token-only for clean shell-script use
  • Auto-load source string in stderr hint (keychain vs file)
  • Fixed init.ts inline-comment bug
  • Refactored token mint into utils/token.ts

Architecture: host-side decrypt

This release enables an opinionated security upgrade: the operator's machine does the full unseal, and only plaintext env vars reach the container. Master keys never touch the deploy host (when paired with DOCKER_HOST=ssh://...). The Spring Boot starter still works for fleets that prefer container-side decrypt.

Full changelog: CHANGELOG.md

Assets 2
Loading