envilder 0.9.1 → 0.9.3

package/README.md

@@ -5,143 +5,114 @@
 </p>
 
 <p align="center">
-  <b>Automate .env and secret management with Envilder</b><br>
-  <span>Streamline your environment setup with AWS SSM Parameter Store or Azure Key Vault</span>
+  <b>One model. Your secrets. Every runtime.</b><br>
+  <span>Define secret mappings once. Resolve them consistently from AWS SSM or Azure Key Vault.</span>
 </p>
 
-![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/macalbert/envilder?utm_source=oss&utm_medium=github&utm_campaign=macalbert%2Fenvilder&labelColor=171717&color=FF570A&link=https%3A%2F%2Fcoderabbit.ai&label=CodeRabbit+Reviews)
-
 [![npm version](https://img.shields.io/npm/v/envilder.svg)](https://www.npmjs.com/package/envilder)
 [![npm downloads](https://img.shields.io/npm/dm/envilder.svg)](https://npmcharts.com/compare/envilder)
 [![CI Tests](https://github.com/macalbert/envilder/actions/workflows/tests.yml/badge.svg)](https://github.com/macalbert/envilder/actions/workflows/tests.yml)
-[![Coverage Report](https://img.shields.io/badge/coverage-report-green.svg)](https://macalbert.github.io/envilder/)
-[![Known Vulnerabilities](https://snyk.io/test/github/macalbert/envilder/badge.svg)](https://snyk.io/test/github/macalbert/envilder)
+[![Overall Coverage](https://macalbert.github.io/envilder/badge_combined.svg)](https://macalbert.github.io/envilder/)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
 
-## Why centralize environment variables?
+## Why Envilder?
+
+Your new developer joins the team. They need environment variables to run the app locally.
+What happens next? Someone sends API keys over Slack. Someone else digs up a wiki page
+with outdated credentials. Forty-five minutes later, their `.env` file is "probably correct".
+
+**Envilder fixes this in one command.**
 
-Envilder is a CLI tool for .env automation, cloud secrets management, and secure environment variable sync.
-Generating and maintaining consistent .env files is a real pain point for any development team. From outdated
-secrets to insecure practices, the risks are tangible. Envilder eliminates these pitfalls by centralizing and
-automating secret management across real-world environments (dev, test, production) in a simple, secure, and
-efficient way. Use Envilder to automate .env files, sync secrets with AWS SSM Parameter Store or Azure Key Vault,
-and streamline onboarding and CI/CD workflows.
+You create a JSON mapping between variable names and cloud secret paths. Envilder resolves
+them from AWS SSM or Azure Key Vault. The same mapping file works in local dev (CLI),
+CI/CD (GitHub Action), and application startup (runtime SDKs).
+
+```bash
+envilder --map=param-map.json --envfile=.env
+```
+
+No SaaS middleman. No vendor lock-in. Secrets stay in your cloud.
 
 ---
 
-## ❗ What Envilder solves
+## The problem
 
-- Desync between environments (dev, prod)
-- Secrets not properly propagated across team members
-- CI/CD pipeline failures due to outdated or missing .env files
-- Slow and manual onboarding processes
-- Security risks from sharing secrets via Slack, email, or other channels
-- Insecure .env practices and manual secret sharing
+- **Onboarding takes hours, not seconds.** Every new developer needs someone to explain which
+  secrets go where. Keys get shared over Slack, pasted from wikis, or copied from a colleague's
+  machine. It's slow, error-prone, and insecure.
+- **Every environment has its own workflow.** Local dev reads `.env` files. CI/CD uses vault
+  integrations. Production has its own method. Same app, three different secret workflows.
+- **No single source of truth.** Without a versioned contract, dev/staging/production configs
+  drift apart. Deployments break. Nobody knows which config is correct.
 
-## ✅ How Envilder makes life easier
+## How Envilder solves it
 
-- 🛡️ Centralizes secrets in AWS SSM Parameter Store or Azure Key Vault
-- ☁️ Multi-provider support — choose `aws` or `azure` with the `--provider` flag
-- ⚙️ Generates .env files automatically for every environment
-- 🔄 Applies changes idempotently and instantly
-- 🔐 Improves security: no need to share secrets manually; everything is managed via your cloud provider
-- 👥 Simplifies onboarding and internal rotations
-- 🚀 Enables cloud-native, infrastructure-as-code secret management
-- 🤖 Perfect for DevOps, CI/CD, and team sync
+- 📋 **One mapping file for everything.** A single `param-map.json` defines what secrets your app
+  needs. Git-versioned, PR-reviewable, the same across every environment.
+- ⚡ **Works everywhere your code runs.** CLI for local dev, GitHub Action for CI/CD, runtime SDKs
+  for application startup. Same file, same result.
+- 🛡️ **Your cloud, zero infrastructure.** Secrets stay in AWS SSM or Azure Key Vault. No SaaS
+  proxy, no extra servers, no data to migrate.
 
 ---
 
-## 📚 Table of Contents
-
-- [🗝️ Envilder ☁️](#️-envilder-️)
-  - [Why centralize environment variables?](#why-centralize-environment-variables)
-  - [❗ What Envilder solves](#-what-envilder-solves)
-  - [✅ How Envilder makes life easier](#-how-envilder-makes-life-easier)
-  - [📚 Table of Contents](#-table-of-contents)
-  - [⚙️ Features](#️-features)
-    - [🧱 Feature Status](#-feature-status)
-  - [💾 Installation](#-installation)
-    - [🤖 GitHub Action](#-github-action)
-  - [🚀 Quick Start](#-quick-start)
-    - [🎥 Video Demonstration](#-video-demonstration)
-    - [🏁 Get Started (3 steps)](#-get-started-3-steps)
-      - [AWS SSM (default)](#aws-ssm-default)
-      - [Azure Key Vault](#azure-key-vault)
-    - [📚 Quick Links](#-quick-links)
-  - [🗺️ Mapping File Format](#️-mapping-file-format)
-    - [Basic Format (AWS SSM — default)](#basic-format-aws-ssm--default)
-    - [With `$config` (explicit provider)](#with-config-explicit-provider)
-    - [`$config` Options](#config-options)
-    - [Configuration Priority](#configuration-priority)
-  - [🛠️ How it works](#️-how-it-works)
-  - [Frequently Asked Questions (FAQ)](#frequently-asked-questions-faq)
-  - [🔍 Envilder vs. Alternatives](#-envilder-vs-alternatives)
-    - [Secrets sync tools (direct alternatives)](#secrets-sync-tools-direct-alternatives)
-    - [Runtime \& credential tools (not direct alternatives)](#runtime--credential-tools-not-direct-alternatives)
-    - [When to use what](#when-to-use-what)
-    - [Why choose Envilder?](#why-choose-envilder)
-    - [Where Envilder fits best](#where-envilder-fits-best)
-  - [🏁 Roadmap](#-roadmap)
-  - [🤝 Contributing](#-contributing)
-  - [📜 License](#-license)
+## ⚙️ Features
+
+| Feature | Description |
+|---------|-------------|
+| 📋 **Declarative Mapping** | One JSON file defines all secrets. Git-versioned, PR-reviewable, diff-able |
+| ☁️ **Multi-Provider** | AWS SSM + Azure Key Vault. No vendor lock-in |
+| 🔌 **Runtime SDKs** | Load secrets into memory at app startup: [.NET](./src/sdks/dotnet/README.md), [Python](./src/sdks/python/README.md). No `.env` on disk |
+| ⚙️ **GitHub Action** | Pull secrets in CI/CD. Same mapping, zero manual config |
+| 🔄 **Bidirectional Sync** | Pull secrets to `.env` or push values back to the cloud |
+| 🧱 **Zero Infrastructure** | No servers, no proxies, no SaaS. Uses cloud services you already have |
 
 ---
 
-## ⚙️ Features
+## 🚀 Quick Start
 
-- 🔒 **Strict access control** — IAM policies (AWS) or RBAC (Azure) define access to secrets across stages
-(dev, staging, prod)
-- 📊 **Auditable** — All reads/writes are logged in AWS CloudTrail or Azure Monitor
-- 🧩 **Single source of truth** — No more Notion, emails or copy/paste of envs
-- 🔁 **Idempotent sync** — Only what's in your map gets updated. Nothing else is touched
-- 🧱 **Zero infrastructure** — Fully based on native cloud services. No Lambdas, no servers, no fuss
+### 🎥 See it in action
 
-### 🧱 Feature Status
+Watch how easy it is to automate your .env management in less than 1 minute:  
 
-- 🤖 **GitHub Action** — [Integrate directly in CI/CD workflows](./github-action/README.md)
-- 📤 **Push & Pull** — Bidirectional sync between local `.env` and your cloud provider
-- ☁️ **Multi-provider** — AWS SSM Parameter Store and Azure Key Vault
-- 🎯 **AWS Profile support** — Use `--profile` flag for multi-account setups
+![Watch the video](https://github.com/user-attachments/assets/9f194143-117d-49f3-a6fb-f400040ea514)
 
----
+### 🏁 Get Started (2 steps)
 
-## 💾 Installation
+**1. Create a mapping file** (`param-map.json`):
 
-🛠 Requirements:
+```json
+{
+  "DB_PASSWORD": "/my-app/db/password",
+  "API_KEY": "/my-app/api-key"
+}
+```
 
-- Node.js **v20+** (cloud-native compatible)
-- **AWS provider**: AWS CLI installed and configured; IAM user/role with `ssm:GetParameter`, `ssm:PutParameter`
-- **Azure provider**: Azure CLI installed; vault URL configured via
-`$config.vaultUrl` in your map file or `--vault-url` flag
+**2. Generate your `.env` file:**
 
 ```bash
-pnpm add -g envilder
+npx envilder --map=param-map.json --envfile=.env
 ```
 
-Or use your preferred package manager:
+That's it. Your secrets are pulled from AWS SSM and written to `.env`.
+Add `.env` to `.gitignore`. The mapping file is versioned and reviewable in PRs.
+
+> 💡 Using Azure Key Vault? Add a `$config` section to your mapping file.
+> See [Mapping File Format](#️-mapping-file-format) below.
+
+### 💾 Installation
 
 ```bash
 npm install -g envilder
 ```
 
-> 💡 **Want to try without installing?** Run `npx envilder --help` to explore the CLI instantly.
->
-> 💡 **New to AWS SSM?** AWS Systems Manager Parameter Store provides secure storage for configuration data and secrets:
+> 💡 **No install needed?** `npx envilder` works out of the box.
 >
-> - [AWS SSM Parameter Store Overview](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
-> - [Setting up AWS CLI credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
-> - [IAM permissions for SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html)
->
-> 💡 **New to Azure Key Vault?** Azure Key Vault safeguards cryptographic keys and secrets used by cloud apps:
->
-> - [Azure Key Vault Overview](https://learn.microsoft.com/en-us/azure/key-vault/general/overview)
-> - [Setting up Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
-> - [Key Vault access policies](https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy)
+> **Requirements:** Node.js v20+. AWS CLI or Azure CLI configured.
+> See [full requirements](docs/requirements-installation.md).
 
 ### 🤖 GitHub Action
 
-Use Envilder directly in your CI/CD workflows with our official GitHub Action:
-
 **AWS SSM (default):**
 
 ```yaml
@@ -177,77 +148,11 @@ Use Envilder directly in your CI/CD workflows with our official GitHub Action:
     vault-url: ${{ secrets.AZURE_KEY_VAULT_URL }}
 ```
 
-📖 **[View full GitHub Action documentation](./github-action/README.md)**
-
----
-
-## 🚀 Quick Start
-
-### 🎥 Video Demonstration
-
-Watch how easy it is to automate your .env management in less than 1 minute:  
-
-![Watch the video](https://github.com/user-attachments/assets/9f194143-117d-49f3-a6fb-f400040ea514)
-
-### 🏁 Get Started (3 steps)
-
-After configuring your cloud provider credentials, you can begin managing your secrets.
-
-#### AWS SSM (default)
-
-1. **Create a mapping file:**
-
-   ```json
-   {
-     "DB_PASSWORD": "/my-app/db/password"
-   }
-   ```
-
-2. **Push a secret to AWS SSM:**
-
-   ```bash
-   envilder --push --key=DB_PASSWORD --value=12345 --secret-path=/my-app/db/password
-   ```
-
-3. **Generate your .env file from AWS SSM:**
-
-   ```bash
-   envilder --map=param-map.json --envfile=.env
-   ```
-
-#### Azure Key Vault
+📖 **[Full GitHub Action docs](./github-action/README.md)**
 
-1. **Add `$config` to your mapping file:**
+### 📚 More resources
 
-   ```json
-   {
-     "$config": {
-       "provider": "azure",
-       "vaultUrl": "https://my-vault.vault.azure.net"
-     },
-     "DB_PASSWORD": "my-app-db-password"
-   }
-   ```
-
-2. **Pull secrets from Azure Key Vault:**
-
-   ```bash
-   envilder --map=param-map.json --envfile=.env
-   ```
-
-   Or use CLI flags to override:
-
-   ```bash
-   envilder --provider=azure --vault-url=https://my-vault.vault.azure.net --map=param-map.json --envfile=.env
-   ```
-
-Your secrets are now managed and versioned from your cloud provider. Add `.env` to your `.gitignore` for security.
-Envilder is designed for automation, onboarding, and secure cloud-native workflows.
-
-### 📚 Quick Links
-
-- [📖 Full Documentation](https://envilder.com) — Visit envilder.com for the complete guide
-- [Requirements & Installation](docs/requirements-installation.md)
+- [📖 Full Documentation](https://envilder.com): the complete guide at envilder.com
 - [Push Command Guide](docs/push-command.md)
 - [Pull Command Guide](docs/pull-command.md)
 
@@ -255,10 +160,12 @@ Envilder is designed for automation, onboarding, and secure cloud-native workflo
 
 ## 🗺️ Mapping File Format
 
-The mapping file (`param-map.json`) is the core of Envilder. It maps environment variable names to secret paths
-in your cloud provider. You can optionally include a `$config` section to declare which provider and settings to use.
+The mapping file (`param-map.json`) is the core of Envilder. It's the single model that defines
+what secrets your app needs and where they live in your cloud provider. The same file is used by
+the CLI, the GitHub Action, and the runtime SDKs. You can optionally include a `$config` section
+to declare which provider and settings to use.
 
-### Basic Format (AWS SSM — default)
+### Basic Format (AWS SSM, default)
 
 When no `$config` is present, Envilder defaults to AWS SSM Parameter Store:
 
@@ -304,7 +211,7 @@ and uses all other keys as secret mappings:
 ```
 
 > **Azure naming:** Key Vault secret names only allow alphanumeric characters and hyphens.
-> Envilder automatically normalizes names — slashes and underscores become hyphens
+> Envilder automatically normalizes names: slashes and underscores become hyphens
 > (e.g., `/myapp/db/password` → `myapp-db-password`).
 
 ### `$config` Options
@@ -312,8 +219,8 @@ and uses all other keys as secret mappings:
 | Key | Type | Default | Description |
 | --- | --- | --- | --- |
 | `provider` | `"aws"` \| `"azure"` | `"aws"` | Cloud provider to use |
-| `vaultUrl` | `string` | — | Azure Key Vault URL (required when `provider` is `"azure"`) |
-| `profile` | `string` | — | AWS CLI profile for multi-account setups (AWS only) |
+| `vaultUrl` | `string` | - | Azure Key Vault URL (required when `provider` is `"azure"`) |
+| `profile` | `string` | - | AWS CLI profile for multi-account setups (AWS only) |
 
 ### Configuration Priority
 
@@ -335,152 +242,146 @@ envilder --provider=azure --vault-url=https://other-vault.vault.azure.net --map=
 
 ---
 
-## 🛠️ How it works
-
-```mermaid
-graph LR
-    A["Mapping File (param-map.json)"] --> B[Envilder]:::core
-    C["Environment File (.env or --key)"] --> B
-    D["Cloud Credentials (AWS or Azure)"]:::cloud --> B
-    E["AWS SSM / Azure Key Vault"]:::cloud --> B
-    B --> F["Pull/Push Secrets"]
-
-    classDef cloud fill:#ffcc66,color:#000000,stroke:#333,stroke-width:1.5px;
-    classDef core fill:#1f3b57,color:#fff,stroke:#ccc,stroke-width:2px;
-```
-
-1. Define mappings in a JSON file: `{"DB_PASSWORD": "/myapp/db/password"}`
-2. **Pull** secrets into a `.env` file: `envilder --map=param-map.json --envfile=.env`
-3. **Push** local values back: `envilder --push --map=param-map.json --envfile=.env`
-4. Envilder syncs secrets securely with AWS SSM or Azure Key Vault using your cloud credentials
-5. Use `--provider=azure` to switch from the default AWS provider
-6. Result: your secrets are always up-to-date, secure, and ready for any environment
+## 🧩 Runtime SDKs
 
----
+Beyond the CLI and GitHub Action, Envilder provides **runtime SDKs** that resolve secrets
+directly into your application's memory at startup. No `.env` file written to disk, no secrets
+left behind. SDKs use the same map-file format as the CLI.
 
-## Frequently Asked Questions (FAQ)
+### .NET SDK
 
-**Q: What is Envilder?**  
-A: Envilder is a CLI tool for automating .env and secret management using AWS SSM Parameter Store or Azure Key Vault.
+Install via NuGet:
 
-**Q: Which cloud providers are supported?**  
-A: AWS SSM Parameter Store (default) and Azure Key Vault. Use `--provider=azure` to switch providers.
+```bash
+dotnet add package Envilder
+```
 
-**Q: How does Envilder improve security?**  
-A: Secrets are never stored in code or shared via chat/email. All secrets are managed and synced securely via your
-cloud provider.
+Load secrets into `IConfiguration` or inject them into the process environment:
 
-**Q: Can I use Envilder in CI/CD pipelines?**  
-A: Yes! Use the official [Envilder GitHub Action](./github-action/README.md) to pull secrets directly
-in your workflows — no extra setup needed.
+```csharp
+// Option A: integrate with IConfiguration
+var mapFile = new MapFileParser().Parse(
+    File.ReadAllText("secrets-map.json"));
+var provider = SecretProviderFactory.Create(mapFile.Config);
 
-**Q: Does Envilder support multiple AWS profiles?**  
-A: Yes, you can use the `--profile` flag to select different AWS credentials.
+var config = new ConfigurationBuilder()
+    .AddEnvilder("secrets-map.json", provider)
+    .Build();
 
-**Q: How do I configure Azure Key Vault?**  
-A: Add a `$config` section to your map file with `"provider": "azure"` and `"vaultUrl": "https://my-vault.vault.azure.net"`,
-or use `--provider=azure --vault-url=https://my-vault.vault.azure.net` CLI flags. Authentication uses Azure
-Default Credentials (Azure CLI, managed identity, etc.).
+var dbPassword = config["DB_PASSWORD"];
 
-**Q: What environments does Envilder support?**  
-A: Any environment supported by your cloud provider—dev, test, staging, production, etc.
+// Option B: resolve + inject into environment
+var client = new EnvilderClient(provider);
+var secrets = await client.ResolveSecretsAsync(mapFile);
+EnvilderClient.InjectIntoEnvironment(secrets);
+```
 
-**Q: Is Envilder open source?**  
-A: Yes, licensed under MIT.
+📖 **[Full .NET SDK docs](./src/sdks/dotnet/README.md)**
 
----
+### Python SDK
 
-## 🔍 Envilder vs. Alternatives
+Install via uv (recommended) or pip:
 
-Envilder is not a secrets manager. It is a **deterministic projection layer** from cloud secret
-stores into `.env` files. It does not store secrets, does not require a backend, and integrates
-cleanly into CI/CD pipelines.
+```bash
+uv add envilder
+# or
+pip install envilder
+```
 
-To make a fair comparison, it's important to separate tools by what they actually do:
+Load secrets into your application with a single line:
 
-### Secrets sync tools (direct alternatives)
+```python
+from envilder import Envilder
 
-These tools manage secrets as data and project them into `.env` or runtime:
+# Resolve + inject into os.environ
+Envilder.load('secrets-map.json')
+```
 
-| Feature | Envilder | dotenv-vault | infisical |
-|---------|----------|-------------|----------|
-| **Source of truth** | External (SSM / Key Vault) | dotenv vault (SaaS) | Infisical backend |
-| **Sync direction** | Bidirectional | Pull only | Bidirectional |
-| **Declarative mapping** | ✅ JSON mapping | ❌ | ❌ |
-| **Multi-provider (AWS + Azure)** | ✅ | ❌ | ⚠️ (primarily its own backend) |
-| **Local `.env` generation** | ✅ | ✅ | ✅ |
-| **CI/CD integration** | ✅ Native GitHub Action | Manual | ✅ Native |
-| **Requires SaaS** | ❌ | ✅ | Optional |
-| **Self-hosted** | N/A (no server needed) | ❌ | ✅ |
-| **Complexity** | Low | Low | Medium |
-| **Vendor lock-in** | Low | High | Medium |
-| **Open source** | ✅ MIT | Partial | ✅ |
+Or route by environment, where each environment points to its own map file:
 
-### Runtime & credential tools (not direct alternatives)
+```python
+from envilder import Envilder
 
-These tools serve different purposes and are better seen as **complements**, not competitors:
+Envilder.load('production', {
+    'production': 'prod-secrets.json',
+    'development': 'dev-secrets.json',
+    'test': None,  # no secrets loaded
+})
+```
 
-| Tool | Purpose | Manages app secrets? | Works with `.env`? |
-|------|---------|---------------------|-------------------|
-| **chamber** | Injects SSM params at runtime (`exec` with env) | ❌ | ❌ |
-| **aws-vault** | Safely assumes AWS IAM roles / STS credentials | ❌ | ❌ |
+📖 **[Full Python SDK docs](./src/sdks/python/README.md)**
 
-### When to use what
+---
 
-- **Need a full vault with its own backend?** → [Infisical](https://infisical.com)
-- **Need SaaS simplicity for `.env` sync?** → [dotenv-vault](https://www.dotenv.org/vault)
-- **Need a projection layer from existing cloud stores?** → **Envilder**
+## 🛠️ How it works
 
-### Why choose Envilder?
+```mermaid
+graph LR
+    A["Mapping Model (param-map.json)"] --> B[Envilder]:::core
+    B --> C["CLI → .env file"]
+    B --> D["GitHub Action → CI/CD"]
+    B --> E["SDK → app memory"]
+    F["AWS SSM / Azure Key Vault"]:::cloud --> B
 
-If you already use AWS SSM or Azure Key Vault and want a lightweight, zero-infrastructure CLI
-that generates `.env` files from a declarative JSON mapping — without a SaaS dependency or extra
-servers — Envilder is the simplest path.
+    classDef cloud fill:#ffcc66,color:#000000,stroke:#333,stroke-width:1.5px;
+    classDef core fill:#1f3b57,color:#fff,stroke:#ccc,stroke-width:2px;
+```
 
-Envilder also brings unique strengths in **determinism** and **testability**:
+1. **Define**: create a `param-map.json` mapping env var names to cloud secret paths
+2. **Resolve**: Envilder fetches each secret from your cloud vault
+3. **Deliver**: secrets arrive as a `.env` file (CLI/GHA) or in-memory (SDKs)
+4. **Push**: rotate or add secrets from your local environment back to the cloud
 
-- **Versioned mappings** — your `param-map.json` lives in source control, making secret
-  projections reproducible across environments
-- **Mockable architecture** — hexagonal design with port interfaces makes offline testing
-  and CI validation straightforward
-- **Audit trail** — all reads/writes are logged by your cloud provider
-  (AWS CloudTrail / Azure Monitor), not by a third-party SaaS
+---
 
-### Where Envilder fits best
+## 🔍 Envilder vs. Alternatives
 
-Envilder generates `.env` files on disk. This is ideal for:
+Envilder is not a secrets manager. It is a **configuration resolution layer** that reads from your
+existing cloud vault and delivers secrets where they're needed (`.env` file, CI/CD, app memory).
+No SaaS backend. No extra servers.
 
-- **Local development** — onboard new team members with a single command
-- **CI/CD pipelines** — inject secrets at build time without hardcoding them
-- **SSG/SSR builds** — frameworks like Next.js, Nuxt, or Astro that read env vars at build time
+| | Envilder | dotenvx | Infisical |
+|-|----------|---------|-----------|
+| **Source of truth** | Your cloud (SSM / Key Vault) | Encrypted `.env` in git | Infisical backend |
+| **Declarative mapping** | ✅ JSON file | ❌ | ❌ |
+| **Multi-cloud** | ✅ AWS + Azure | ❌ | ✅ |
+| **Runtime SDKs** | ✅ .NET, Python | ✅ Node.js | ✅ 6+ languages |
+| **Requires SaaS** | ❌ | ❌ | Optional |
+| **Infrastructure** | None | None | Server required |
 
-For **production runtime**, container orchestrators (ECS, Kubernetes) and platform services
-(Vercel, Fly.io) can inject secrets directly as environment variables — no `.env` file needed.
-In those cases, prefer native secret injection over writing secrets to disk.
+> **When Envilder shines:** you already have secrets in AWS SSM or Azure Key Vault and want
+> a versioned mapping file that resolves them everywhere: local dev, CI/CD, and app runtime.
+> No data to migrate. No servers to deploy. No vendor to depend on.
 
-> **Coming soon:** An `--exec` mode is planned to inject secrets directly into a child process
-> without writing to disk (e.g., `envilder exec -- node server.js`). See the [Roadmap](./ROADMAP.md).
+For detailed tool-by-tool comparison including
+[chamber](https://github.com/segmentio/chamber) and
+[aws-vault](https://github.com/99designs/aws-vault),
+see [envilder.com](https://envilder.com).
 
 ---
 
-## 🏁 Roadmap
+## 🏁 What's Next
 
-We're continuously improving Envilder based on community feedback. Upcoming features include:
+Envilder already covers the full dev-to-production lifecycle with CLI, GitHub Action,
+and runtime SDKs for .NET and Python. Here's what's coming:
 
-- ✅ **Azure Key Vault support** — now available alongside AWS SSM
-- � **Exec mode** — inject secrets into a child process without writing to disk
-- 🔍 **Check/sync mode** for drift detection
-- 🌐 **Documentation website** — dedicated docs site with guides and examples
-- 🧠 **Auto-discovery** for bulk parameter fetching
-- 🔌 **More backends** (HashiCorp Vault, GCP Secret Manager, etc.)
+| Status | Feature |
+|--------|---------|
+| ✅ | Pull & Push: bidirectional sync between `.env` and cloud vault |
+| ✅ | Multi-provider: AWS SSM + Azure Key Vault |
+| ✅ | GitHub Action for CI/CD |
+| ✅ | .NET SDK and Python SDK |
+| 🚧 | TypeScript, Go, and Java SDKs |
+| 🚧 | GCP Secret Manager |
+| 🚧 | Exec mode (inject secrets without writing to disk) |
 
-👉 **[View full roadmap with priorities](./ROADMAP.md)**
+👉 **[Full roadmap with priorities](./ROADMAP.md)**
 
 ---
 
 ## 🤝 Contributing
 
-All help is welcome — PRs, issues, ideas!
+All help is welcome! PRs, issues, ideas.
 
 - 🔧 Use our [Pull Request Template](.github/pull_request_template.md)
 - 🧪 Add tests where possible
@@ -490,6 +391,24 @@ All help is welcome — PRs, issues, ideas!
 
 ---
 
+## 💜 Sponsors
+
+<p align="center">
+  <a href="https://localstack.cloud" target="_blank" rel="noopener noreferrer">
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="./src/website/public/localstack-logo-horizontal-Light.svg">
+      <source media="(prefers-color-scheme: light)" srcset="./src/website/public/localstack-logo-horizontal-Dark.svg">
+      <img src="./src/website/public/localstack-logo-horizontal-Dark.svg" alt="LocalStack" height="40">
+    </picture>
+  </a>
+</p>
+
+<p align="center">
+  Supported by <a href="https://localstack.cloud">LocalStack</a>.
+</p>
+
+---
+
 ## 📜 License
 
 MIT © [Marçal Albert](https://github.com/macalbert)