You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
#577(minor) - - Add caching system: cache() resolver, plugin cache API, encrypted JSON store (file mode 0600), varlock cache CLI with TTY-aware browser and --yes confirm for clear.
Cache TTLs use the shared duration format; "forever" caches until manually cleared (the default for cache()), setting a plugin's cacheTtl to false (or an empty string) disables caching, and a TTL of 0 is rejected as ambiguous.
Cached values are individually encrypted and bound to their cache key, so entries cannot be swapped or replayed within the cache file.
--clear-cache always clears the persistent disk cache, including when combined with --skip-cache; @cache=disk warns when used in CI or with the file-based encryption fallback.
Add random value generators backed by node:crypto: randomNum() (integer by default, float when precision is set), randomUuid(), randomHex() (string-length by default, bytes=true for byte-length), randomString() (uses rejection sampling for unbiased output across any charset).
Add duration data type: accepts flexible string/number input ("1h", "30m", "500ms", 2000, "2days") and coerces to a number in a configurable output unit (ms default; seconds, minutes, hours, days, weeks). Only plain decimal number formats are accepted, and sub-millisecond durations are rejected. Same parser is used by cache(..., ttl=...) and the plugin cacheTtl option.
When _VARLOCK_CACHE_KEY is set (e.g. as a CI secret; same format as _VARLOCK_ENV_KEY, but a separate var since that one can be ephemeral), auto cache mode uses a disk cache encrypted with that key instead of falling back to memory — enabling shared caching across CI processes without the key ever touching disk. Each key gets its own cache file, named by key fingerprint.
@cache can be set dynamically with functions (e.g. @cache=forEnv(dev, "disk")); invalid resolved values surface as schema errors.
Plaintext is passed to the native encryption binary via stdin instead of argv so it never appears in process listings (the macOS enclave binary gained --data-stdin support); debug logging no longer includes encrypt/decrypt payloads.
Plugin opt-in caching via cacheTtl is documented per plugin — see the plugin packages' own changelogs.
#768(patch) - fix: only warn about file-based encryption fallback when encryption is actually used, not on every load
#756(patch) - Preserve process.env override provenance across nested invocations so varlock run-injected resolved values are no longer treated as true overrides by inner varlock loads.
Only real upstream overrides now propagate through nesting, while inner command-local overrides still win as expected.
Also fixes smoke-test CLI resolution to use the workspace-local varlock CLI instead of any globally installed binary.
Note: __VARLOCK_ENV now includes override provenance metadata (__varlockOverrideMeta). Tooling that strictly validates that blob shape should allow unknown/new fields.
#757(patch) Thanks @yinjs! - fix: treat whitespace-only lines as blank lines instead of throwing a parse error
