Skip to content

v0.13.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 Jun 02:11
· 14 commits to main since this release
v0.13.0
168da93

Bundles the file-scoped export, shell-hook injection, and fail-fast key-handling work.

Added

  • envpkt shell-hook now loads and unloads project credentials on cd (previously
    audit-only). The emitted zsh/bash hook resolves the directory's package, injects it via
    env export --track, restores the previously-injected package on leave (prior values, not a
    blind unset — no cross-project bleed), and prints a health warning. Secret values load only
    for scope = "shell" packages; env defaults always load. Decryption happens only when the
    resolved package changes.
  • envpkt config-path — resolve-only command that prints the envpkt.toml path for the
    current directory (empty if none), with no config load or decryption. Powers the shell hook's
    per-cd gate and is useful in scripts.
  • Upward-walk config discoverydiscoverConfig now walks up from the current directory to
    the nearest envpkt.toml (like git/direnv) before the global/search fallback, so a
    project's config applies throughout its subtree. Affects exec, env export, audit, and the
    shell hook — running any of them from a subdirectory now finds the enclosing project.
  • Top-level scope field ("shell" | "exec", default "exec") gates whether
    envpkt env export emits a package's secret values for ambient shell loading. shell
    exports them (for eval/the shell hook); exec (default) withholds them so they're only
    available via envpkt exec. Env defaults (non-secret) are always exported. scope never
    affects envpkt exec, env github, or env dotenv — those are deliberate, not ambient.
  • envpkt env export --track wraps each assignment with an in-shell prior-value snapshot
    (_ENVPKT_HAD_* / _ENVPKT_PREV_*) and emits an _ENVPKT_INJECTED name list, so a shell
    hook can restore — not just unset — variables when leaving a directory. Plain env export
    output is unchanged.
  • envpkt env dotenv emits resolved credentials in .env format (KEY=value), for the
    tools that auto-discover .env files — Wrangler, Docker --env-file, Vite/Next/Astro,
    GitHub Actions, direnv. A sibling of env export (shell) and env github ($GITHUB_ENV).
    Secret values are included by default (consistent with those commands); --no-secrets
    emits value-less placeholders. -o <file> writes to a file (with a .gitignore reminder
    when secrets are present). Values are quoted only when needed and output is deterministic.
    New library API: formatDotenv / quoteDotenvValue.
    (#23)
  • secret edit --unset <field> removes an optional metadata field (repeatable). Field
    names are the canonical TOML keys (e.g. rate_limit). You can unset any field you can set
    with a flag; unknown field names are rejected rather than silently ignored. Previously the
    only way to drop a field was hand-editing the TOML, since --field "" failed schema
    validation. (#31)

Changed

  • envpkt seal --edit now confirms before overwriting an already-sealed value. Replacing a
    sealed encrypted_value discards the only ciphertext, so --edit asks Replace the sealed value for <KEY>? [y/N] first (declining keeps the existing value). Editing an unsealed entry is
    unaffected. Makes the "lost the key, re-provision from source" path a deliberate act.
  • envpkt env export no longer emits secret values by default. With the new scope field
    defaulting to "exec", ambient eval "$(envpkt env export)" now exports only env defaults; add
    top-level scope = "shell" to a package to restore secret export (e.g. for a global package
    loaded at shell start). Withheld secrets print a one-line note to stderr. envpkt exec,
    env github, and env dotenv are unaffected — they still resolve everything.

Fixed

  • boot()/bootSafe() now fail fast when a sealed packet's decryption key is absent, instead
    of warning and injecting empty values. A package with encrypted_value entries and no resolvable
    key (identity.key_fileENVPKT_AGE_KEY_FILEENVPKT_AGE_KEY~/.envpkt/age-key.txt)
    returns a SealKeyUnavailable error listing the searched paths and how to fix it — so a missing
    key surfaces immediately (in exec / env export·github·dotenv) rather than as a confusing
    empty-credential failure downstream. A configured-but-missing key_file now also falls through
    the rest of the precedence chain (so a local key_file no longer blocks an inline CI key).
    audit is unaffected — it reads metadata only and still reports health without the key.
  • --dry-run now runs the same schema validation as the real write across secret
    subcommands. Previously a dry-run could preview a change (e.g. expires = "") that the
    actual write would then reject, so the preview no longer misrepresents what will be
    accepted. (#31)

Full Changelog: v0.12.0...v0.13.0

Assets 2
Loading