npm - envilder - Versions diffs - 0.9.2 → 0.9.3 - Mend

envilder 0.9.2 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -5,144 +5,114 @@
 </p>
 <p align="center">
-  <b>Automate .env and secret management with Envilder</b><br>
-  <span>Streamline your environment setup with AWS SSM Parameter Store or Azure Key Vault</span>
+  <b>One model. Your secrets. Every runtime.</b><br>
+  <span>Define secret mappings once. Resolve them consistently from AWS SSM or Azure Key Vault.</span>
 </p>
-![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/macalbert/envilder?utm_source=oss&utm_medium=github&utm_campaign=macalbert%2Fenvilder&labelColor=171717&color=FF570A&link=https%3A%2F%2Fcoderabbit.ai&label=CodeRabbit+Reviews)
 [![npm version](https://img.shields.io/npm/v/envilder.svg)](https://www.npmjs.com/package/envilder)
 [![npm downloads](https://img.shields.io/npm/dm/envilder.svg)](https://npmcharts.com/compare/envilder)
 [![CI Tests](https://github.com/macalbert/envilder/actions/workflows/tests.yml/badge.svg)](https://github.com/macalbert/envilder/actions/workflows/tests.yml)
-[![Coverage Report](https://img.shields.io/badge/coverage-report-green.svg)](https://macalbert.github.io/envilder/)
-[![Known Vulnerabilities](https://snyk.io/test/github/macalbert/envilder/badge.svg)](https://snyk.io/test/github/macalbert/envilder)
+[![Overall Coverage](https://macalbert.github.io/envilder/badge_combined.svg)](https://macalbert.github.io/envilder/)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
-## Why centralize environment variables?
+## Why Envilder?
+Your new developer joins the team. They need environment variables to run the app locally.
+What happens next? Someone sends API keys over Slack. Someone else digs up a wiki page
+with outdated credentials. Forty-five minutes later, their `.env` file is "probably correct".
+**Envilder fixes this in one command.**
+You create a JSON mapping between variable names and cloud secret paths. Envilder resolves
+them from AWS SSM or Azure Key Vault. The same mapping file works in local dev (CLI),
+CI/CD (GitHub Action), and application startup (runtime SDKs).
+```bash
+envilder --map=param-map.json --envfile=.env
+```
-Envilder is a CLI tool for .env automation, cloud secrets management, and secure environment variable sync.
-Generating and maintaining consistent .env files is a real pain point for any development team. From outdated
-secrets to insecure practices, the risks are tangible. Envilder eliminates these pitfalls by centralizing and
-automating secret management across real-world environments (dev, test, production) in a simple, secure, and
-efficient way. Use Envilder to automate .env files, sync secrets with AWS SSM Parameter Store or Azure Key Vault,
-and streamline onboarding and CI/CD workflows.
+No SaaS middleman. No vendor lock-in. Secrets stay in your cloud.
 ---
-## ❗ What Envilder solves
+## The problem
-- Desync between environments (dev, prod)
-- Secrets not properly propagated across team members
-- CI/CD pipeline failures due to outdated or missing .env files
-- Slow and manual onboarding processes
-- Security risks from sharing secrets via Slack, email, or other channels
-- Insecure .env practices and manual secret sharing
+- **Onboarding takes hours, not seconds.** Every new developer needs someone to explain which
+  secrets go where. Keys get shared over Slack, pasted from wikis, or copied from a colleague's
+  machine. It's slow, error-prone, and insecure.
+- **Every environment has its own workflow.** Local dev reads `.env` files. CI/CD uses vault
+  integrations. Production has its own method. Same app, three different secret workflows.
+- **No single source of truth.** Without a versioned contract, dev/staging/production configs
+  drift apart. Deployments break. Nobody knows which config is correct.
-## ✅ How Envilder makes life easier
+## How Envilder solves it
-- 🛡️ Centralizes secrets in AWS SSM Parameter Store or Azure Key Vault
-- ☁️ Multi-provider support — choose `aws` or `azure` with the `--provider` flag
-- ⚙️ Generates .env files automatically for every environment
-- 🔄 Applies changes idempotently and instantly
-- 🔐 Improves security: no need to share secrets manually; everything is managed via your cloud provider
-- 👥 Simplifies onboarding and internal rotations
-- 🚀 Enables cloud-native, infrastructure-as-code secret management
-- 🤖 Perfect for DevOps, CI/CD, and team sync
+- 📋 **One mapping file for everything.** A single `param-map.json` defines what secrets your app
+  needs. Git-versioned, PR-reviewable, the same across every environment.
+- ⚡ **Works everywhere your code runs.** CLI for local dev, GitHub Action for CI/CD, runtime SDKs
+  for application startup. Same file, same result.
+- 🛡️ **Your cloud, zero infrastructure.** Secrets stay in AWS SSM or Azure Key Vault. No SaaS
+  proxy, no extra servers, no data to migrate.
 ---
-## 📚 Table of Contents
-- [🗝️ Envilder ☁️](#️-envilder-️)
-  - [Why centralize environment variables?](#why-centralize-environment-variables)
-  - [❗ What Envilder solves](#-what-envilder-solves)
-  - [✅ How Envilder makes life easier](#-how-envilder-makes-life-easier)
-  - [📚 Table of Contents](#-table-of-contents)
-  - [⚙️ Features](#️-features)
-    - [🧱 Feature Status](#-feature-status)
-  - [💾 Installation](#-installation)
-    - [🤖 GitHub Action](#-github-action)
-  - [🚀 Quick Start](#-quick-start)
-    - [🎥 Video Demonstration](#-video-demonstration)
-    - [🏁 Get Started (3 steps)](#-get-started-3-steps)
-      - [AWS SSM (default)](#aws-ssm-default)
-      - [Azure Key Vault](#azure-key-vault)
-    - [📚 Quick Links](#-quick-links)
-  - [🗺️ Mapping File Format](#️-mapping-file-format)
-    - [Basic Format (AWS SSM — default)](#basic-format-aws-ssm--default)
-    - [With `$config` (explicit provider)](#with-config-explicit-provider)
-    - [`$config` Options](#config-options)
-    - [Configuration Priority](#configuration-priority)
-  - [🛠️ How it works](#️-how-it-works)
-  - [Frequently Asked Questions (FAQ)](#frequently-asked-questions-faq)
-  - [🔍 Envilder vs. Alternatives](#-envilder-vs-alternatives)
-    - [Secrets sync tools (direct alternatives)](#secrets-sync-tools-direct-alternatives)
-    - [Runtime \& credential tools (not direct alternatives)](#runtime--credential-tools-not-direct-alternatives)
-    - [When to use what](#when-to-use-what)
-    - [Why choose Envilder?](#why-choose-envilder)
-    - [Where Envilder fits best](#where-envilder-fits-best)
-  - [🏁 Roadmap](#-roadmap)
-  - [🤝 Contributing](#-contributing)
-  - [💜 Sponsors](#-sponsors)
-  - [📜 License](#-license)
+## ⚙️ Features
+| Feature | Description |
+|---------|-------------|
+| 📋 **Declarative Mapping** | One JSON file defines all secrets. Git-versioned, PR-reviewable, diff-able |
+| ☁️ **Multi-Provider** | AWS SSM + Azure Key Vault. No vendor lock-in |
+| 🔌 **Runtime SDKs** | Load secrets into memory at app startup: [.NET](./src/sdks/dotnet/README.md), [Python](./src/sdks/python/README.md). No `.env` on disk |
+| ⚙️ **GitHub Action** | Pull secrets in CI/CD. Same mapping, zero manual config |
+| 🔄 **Bidirectional Sync** | Pull secrets to `.env` or push values back to the cloud |
+| 🧱 **Zero Infrastructure** | No servers, no proxies, no SaaS. Uses cloud services you already have |
 ---
-## ⚙️ Features
+## 🚀 Quick Start
-- 🔒 **Strict access control** — IAM policies (AWS) or RBAC (Azure) define access to secrets across stages
-(dev, staging, prod)
-- 📊 **Auditable** — All reads/writes are logged in AWS CloudTrail or Azure Monitor
-- 🧩 **Single source of truth** — No more Notion, emails or copy/paste of envs
-- 🔁 **Idempotent sync** — Only what's in your map gets updated. Nothing else is touched
-- 🧱 **Zero infrastructure** — Fully based on native cloud services. No Lambdas, no servers, no fuss
+### 🎥 See it in action
-### 🧱 Feature Status
+Watch how easy it is to automate your .env management in less than 1 minute:
-- 🤖 **GitHub Action** — [Integrate directly in CI/CD workflows](./github-action/README.md)
-- 📤 **Push & Pull** — Bidirectional sync between local `.env` and your cloud provider
-- ☁️ **Multi-provider** — AWS SSM Parameter Store and Azure Key Vault
-- 🎯 **AWS Profile support** — Use `--profile` flag for multi-account setups
+![Watch the video](https://github.com/user-attachments/assets/9f194143-117d-49f3-a6fb-f400040ea514)
----
+### 🏁 Get Started (2 steps)
-## 💾 Installation
+**1. Create a mapping file** (`param-map.json`):
-🛠 Requirements:
+```json
+{
+  "DB_PASSWORD": "/my-app/db/password",
+  "API_KEY": "/my-app/api-key"
+}
+```
-- Node.js **v20+** (cloud-native compatible)
-- **AWS provider**: AWS CLI installed and configured; IAM user/role with `ssm:GetParameter`, `ssm:PutParameter`
-- **Azure provider**: Azure CLI installed; vault URL configured via
-`$config.vaultUrl` in your map file or `--vault-url` flag
+**2. Generate your `.env` file:**
 ```bash
-pnpm add -g envilder
+npx envilder --map=param-map.json --envfile=.env
 ```
-Or use your preferred package manager:
+That's it. Your secrets are pulled from AWS SSM and written to `.env`.
+Add `.env` to `.gitignore`. The mapping file is versioned and reviewable in PRs.
+> 💡 Using Azure Key Vault? Add a `$config` section to your mapping file.
+> See [Mapping File Format](#️-mapping-file-format) below.
+### 💾 Installation
 ```bash
 npm install -g envilder
 ```
-> 💡 **Want to try without installing?** Run `npx envilder --help` to explore the CLI instantly.
->
-> 💡 **New to AWS SSM?** AWS Systems Manager Parameter Store provides secure storage for configuration data and secrets:
->
-> - [AWS SSM Parameter Store Overview](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
-> - [Setting up AWS CLI credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
-> - [IAM permissions for SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html)
+> 💡 **No install needed?** `npx envilder` works out of the box.
 >
-> 💡 **New to Azure Key Vault?** Azure Key Vault safeguards cryptographic keys and secrets used by cloud apps:
->
-> - [Azure Key Vault Overview](https://learn.microsoft.com/en-us/azure/key-vault/general/overview)
-> - [Setting up Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
-> - [Key Vault access policies](https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy)
+> **Requirements:** Node.js v20+. AWS CLI or Azure CLI configured.
+> See [full requirements](docs/requirements-installation.md).
 ### 🤖 GitHub Action
-Use Envilder directly in your CI/CD workflows with our official GitHub Action:
 **AWS SSM (default):**
 ```yaml
@@ -178,77 +148,11 @@ Use Envilder directly in your CI/CD workflows with our official GitHub Action:
     vault-url: ${{ secrets.AZURE_KEY_VAULT_URL }}
 ```
-📖 **[View full GitHub Action documentation](./github-action/README.md)**
----
-## 🚀 Quick Start
-### 🎥 Video Demonstration
-Watch how easy it is to automate your .env management in less than 1 minute:
-![Watch the video](https://github.com/user-attachments/assets/9f194143-117d-49f3-a6fb-f400040ea514)
-### 🏁 Get Started (3 steps)
-After configuring your cloud provider credentials, you can begin managing your secrets.
-#### AWS SSM (default)
-1. **Create a mapping file:**
-   ```json
-   {
-     "DB_PASSWORD": "/my-app/db/password"
-   }
-   ```
-2. **Push a secret to AWS SSM:**
+📖 **[Full GitHub Action docs](./github-action/README.md)**
-   ```bash
-   envilder --push --key=DB_PASSWORD --value=12345 --secret-path=/my-app/db/password
-   ```
+### 📚 More resources
-3. **Generate your .env file from AWS SSM:**
-   ```bash
-   envilder --map=param-map.json --envfile=.env
-   ```
-#### Azure Key Vault
-1. **Add `$config` to your mapping file:**
-   ```json
-   {
-     "$config": {
-       "provider": "azure",
-       "vaultUrl": "https://my-vault.vault.azure.net"
-     },
-     "DB_PASSWORD": "my-app-db-password"
-   }
-   ```
-2. **Pull secrets from Azure Key Vault:**
-   ```bash
-   envilder --map=param-map.json --envfile=.env
-   ```
-   Or use CLI flags to override:
-   ```bash
-   envilder --provider=azure --vault-url=https://my-vault.vault.azure.net --map=param-map.json --envfile=.env
-   ```
-Your secrets are now managed and versioned from your cloud provider. Add `.env` to your `.gitignore` for security.
-Envilder is designed for automation, onboarding, and secure cloud-native workflows.
-### 📚 Quick Links
-- [📖 Full Documentation](https://envilder.com) — Visit envilder.com for the complete guide
-- [Requirements & Installation](docs/requirements-installation.md)
+- [📖 Full Documentation](https://envilder.com): the complete guide at envilder.com
 - [Push Command Guide](docs/push-command.md)
 - [Pull Command Guide](docs/pull-command.md)
@@ -256,10 +160,12 @@ Envilder is designed for automation, onboarding, and secure cloud-native workflo
 ## 🗺️ Mapping File Format
-The mapping file (`param-map.json`) is the core of Envilder. It maps environment variable names to secret paths
-in your cloud provider. You can optionally include a `$config` section to declare which provider and settings to use.
+The mapping file (`param-map.json`) is the core of Envilder. It's the single model that defines
+what secrets your app needs and where they live in your cloud provider. The same file is used by
+the CLI, the GitHub Action, and the runtime SDKs. You can optionally include a `$config` section
+to declare which provider and settings to use.
-### Basic Format (AWS SSM — default)
+### Basic Format (AWS SSM, default)
 When no `$config` is present, Envilder defaults to AWS SSM Parameter Store:
@@ -305,7 +211,7 @@ and uses all other keys as secret mappings:
 ```
 > **Azure naming:** Key Vault secret names only allow alphanumeric characters and hyphens.
-> Envilder automatically normalizes names — slashes and underscores become hyphens
+> Envilder automatically normalizes names: slashes and underscores become hyphens
 > (e.g., `/myapp/db/password` → `myapp-db-password`).
 ### `$config` Options
@@ -313,8 +219,8 @@ and uses all other keys as secret mappings:
 | Key | Type | Default | Description |
 | --- | --- | --- | --- |
 | `provider` | `"aws"` \| `"azure"` | `"aws"` | Cloud provider to use |
-| `vaultUrl` | `string` | — | Azure Key Vault URL (required when `provider` is `"azure"`) |
-| `profile` | `string` | — | AWS CLI profile for multi-account setups (AWS only) |
+| `vaultUrl` | `string` | - | Azure Key Vault URL (required when `provider` is `"azure"`) |
+| `profile` | `string` | - | AWS CLI profile for multi-account setups (AWS only) |
 ### Configuration Priority
@@ -336,152 +242,146 @@ envilder --provider=azure --vault-url=https://other-vault.vault.azure.net --map=
 ---
-## 🛠️ How it works
-```mermaid
-graph LR
-    A["Mapping File (param-map.json)"] --> B[Envilder]:::core
-    C["Environment File (.env or --key)"] --> B
-    D["Cloud Credentials (AWS or Azure)"]:::cloud --> B
-    E["AWS SSM / Azure Key Vault"]:::cloud --> B
-    B --> F["Pull/Push Secrets"]
-    classDef cloud fill:#ffcc66,color:#000000,stroke:#333,stroke-width:1.5px;
-    classDef core fill:#1f3b57,color:#fff,stroke:#ccc,stroke-width:2px;
-```
+## 🧩 Runtime SDKs
-1. Define mappings in a JSON file: `{"DB_PASSWORD": "/myapp/db/password"}`
-2. **Pull** secrets into a `.env` file: `envilder --map=param-map.json --envfile=.env`
-3. **Push** local values back: `envilder --push --map=param-map.json --envfile=.env`
-4. Envilder syncs secrets securely with AWS SSM or Azure Key Vault using your cloud credentials
-5. Use `--provider=azure` to switch from the default AWS provider
-6. Result: your secrets are always up-to-date, secure, and ready for any environment
+Beyond the CLI and GitHub Action, Envilder provides **runtime SDKs** that resolve secrets
+directly into your application's memory at startup. No `.env` file written to disk, no secrets
+left behind. SDKs use the same map-file format as the CLI.
----
+### .NET SDK
-## Frequently Asked Questions (FAQ)
+Install via NuGet:
-**Q: What is Envilder?**
-A: Envilder is a CLI tool for automating .env and secret management using AWS SSM Parameter Store or Azure Key Vault.
-**Q: Which cloud providers are supported?**
-A: AWS SSM Parameter Store (default) and Azure Key Vault. Use `--provider=azure` to switch providers.
+```bash
+dotnet add package Envilder
+```
-**Q: How does Envilder improve security?**
-A: Secrets are never stored in code or shared via chat/email. All secrets are managed and synced securely via your
-cloud provider.
+Load secrets into `IConfiguration` or inject them into the process environment:
-**Q: Can I use Envilder in CI/CD pipelines?**
-A: Yes! Use the official [Envilder GitHub Action](./github-action/README.md) to pull secrets directly
-in your workflows — no extra setup needed.
+```csharp
+// Option A: integrate with IConfiguration
+var mapFile = new MapFileParser().Parse(
+    File.ReadAllText("secrets-map.json"));
+var provider = SecretProviderFactory.Create(mapFile.Config);
-**Q: Does Envilder support multiple AWS profiles?**
-A: Yes, you can use the `--profile` flag to select different AWS credentials.
+var config = new ConfigurationBuilder()
+    .AddEnvilder("secrets-map.json", provider)
+    .Build();
-**Q: How do I configure Azure Key Vault?**
-A: Add a `$config` section to your map file with `"provider": "azure"` and `"vaultUrl": "https://my-vault.vault.azure.net"`,
-or use `--provider=azure --vault-url=https://my-vault.vault.azure.net` CLI flags. Authentication uses Azure
-Default Credentials (Azure CLI, managed identity, etc.).
+var dbPassword = config["DB_PASSWORD"];
-**Q: What environments does Envilder support?**
-A: Any environment supported by your cloud provider—dev, test, staging, production, etc.
+// Option B: resolve + inject into environment
+var client = new EnvilderClient(provider);
+var secrets = await client.ResolveSecretsAsync(mapFile);
+EnvilderClient.InjectIntoEnvironment(secrets);
+```
-**Q: Is Envilder open source?**
-A: Yes, licensed under MIT.
+📖 **[Full .NET SDK docs](./src/sdks/dotnet/README.md)**
----
+### Python SDK
-## 🔍 Envilder vs. Alternatives
+Install via uv (recommended) or pip:
-Envilder is not a secrets manager. It is a **deterministic projection layer** from cloud secret
-stores into `.env` files. It does not store secrets, does not require a backend, and integrates
-cleanly into CI/CD pipelines.
+```bash
+uv add envilder
+# or
+pip install envilder
+```
-To make a fair comparison, it's important to separate tools by what they actually do:
+Load secrets into your application with a single line:
-### Secrets sync tools (direct alternatives)
+```python
+from envilder import Envilder
-These tools manage secrets as data and project them into `.env` or runtime:
+# Resolve + inject into os.environ
+Envilder.load('secrets-map.json')
+```
-| Feature | Envilder | dotenv-vault | infisical |
-|---------|----------|-------------|----------|
-| **Source of truth** | External (SSM / Key Vault) | dotenv vault (SaaS) | Infisical backend |
-| **Sync direction** | Bidirectional | Pull only | Bidirectional |
-| **Declarative mapping** | ✅ JSON mapping | ❌ | ❌ |
-| **Multi-provider (AWS + Azure)** | ✅ | ❌ | ⚠️ (primarily its own backend) |
-| **Local `.env` generation** | ✅ | ✅ | ✅ |
-| **CI/CD integration** | ✅ Native GitHub Action | Manual | ✅ Native |
-| **Requires SaaS** | ❌ | ✅ | Optional |
-| **Self-hosted** | N/A (no server needed) | ❌ | ✅ |
-| **Complexity** | Low | Low | Medium |
-| **Vendor lock-in** | Low | High | Medium |
-| **Open source** | ✅ MIT | Partial | ✅ |
+Or route by environment, where each environment points to its own map file:
-### Runtime & credential tools (not direct alternatives)
+```python
+from envilder import Envilder
-These tools serve different purposes and are better seen as **complements**, not competitors:
+Envilder.load('production', {
+    'production': 'prod-secrets.json',
+    'development': 'dev-secrets.json',
+    'test': None,  # no secrets loaded
+})
+```
-| Tool | Purpose | Manages app secrets? | Works with `.env`? |
-|------|---------|---------------------|-------------------|
-| **chamber** | Injects SSM params at runtime (`exec` with env) | ❌ | ❌ |
-| **aws-vault** | Safely assumes AWS IAM roles / STS credentials | ❌ | ❌ |
+📖 **[Full Python SDK docs](./src/sdks/python/README.md)**
-### When to use what
+---
-- **Need a full vault with its own backend?** → [Infisical](https://infisical.com)
-- **Need SaaS simplicity for `.env` sync?** → [dotenv-vault](https://www.dotenv.org/vault)
-- **Need a projection layer from existing cloud stores?** → **Envilder**
+## 🛠️ How it works
-### Why choose Envilder?
+```mermaid
+graph LR
+    A["Mapping Model (param-map.json)"] --> B[Envilder]:::core
+    B --> C["CLI → .env file"]
+    B --> D["GitHub Action → CI/CD"]
+    B --> E["SDK → app memory"]
+    F["AWS SSM / Azure Key Vault"]:::cloud --> B
-If you already use AWS SSM or Azure Key Vault and want a lightweight, zero-infrastructure CLI
-that generates `.env` files from a declarative JSON mapping — without a SaaS dependency or extra
-servers — Envilder is the simplest path.
+    classDef cloud fill:#ffcc66,color:#000000,stroke:#333,stroke-width:1.5px;
+    classDef core fill:#1f3b57,color:#fff,stroke:#ccc,stroke-width:2px;
+```
-Envilder also brings unique strengths in **determinism** and **testability**:
+1. **Define**: create a `param-map.json` mapping env var names to cloud secret paths
+2. **Resolve**: Envilder fetches each secret from your cloud vault
+3. **Deliver**: secrets arrive as a `.env` file (CLI/GHA) or in-memory (SDKs)
+4. **Push**: rotate or add secrets from your local environment back to the cloud
-- **Versioned mappings** — your `param-map.json` lives in source control, making secret
-  projections reproducible across environments
-- **Mockable architecture** — hexagonal design with port interfaces makes offline testing
-  and CI validation straightforward
-- **Audit trail** — all reads/writes are logged by your cloud provider
-  (AWS CloudTrail / Azure Monitor), not by a third-party SaaS
+---
-### Where Envilder fits best
+## 🔍 Envilder vs. Alternatives
-Envilder generates `.env` files on disk. This is ideal for:
+Envilder is not a secrets manager. It is a **configuration resolution layer** that reads from your
+existing cloud vault and delivers secrets where they're needed (`.env` file, CI/CD, app memory).
+No SaaS backend. No extra servers.
-- **Local development** — onboard new team members with a single command
-- **CI/CD pipelines** — inject secrets at build time without hardcoding them
-- **SSG/SSR builds** — frameworks like Next.js, Nuxt, or Astro that read env vars at build time
+| | Envilder | dotenvx | Infisical |
+|-|----------|---------|-----------|
+| **Source of truth** | Your cloud (SSM / Key Vault) | Encrypted `.env` in git | Infisical backend |
+| **Declarative mapping** | ✅ JSON file | ❌ | ❌ |
+| **Multi-cloud** | ✅ AWS + Azure | ❌ | ✅ |
+| **Runtime SDKs** | ✅ .NET, Python | ✅ Node.js | ✅ 6+ languages |
+| **Requires SaaS** | ❌ | ❌ | Optional |
+| **Infrastructure** | None | None | Server required |
-For **production runtime**, container orchestrators (ECS, Kubernetes) and platform services
-(Vercel, Fly.io) can inject secrets directly as environment variables — no `.env` file needed.
-In those cases, prefer native secret injection over writing secrets to disk.
+> **When Envilder shines:** you already have secrets in AWS SSM or Azure Key Vault and want
+> a versioned mapping file that resolves them everywhere: local dev, CI/CD, and app runtime.
+> No data to migrate. No servers to deploy. No vendor to depend on.
-> **Coming soon:** An `--exec` mode is planned to inject secrets directly into a child process
-> without writing to disk (e.g., `envilder exec -- node server.js`). See the [Roadmap](./ROADMAP.md).
+For detailed tool-by-tool comparison including
+[chamber](https://github.com/segmentio/chamber) and
+[aws-vault](https://github.com/99designs/aws-vault),
+see [envilder.com](https://envilder.com).
 ---
-## 🏁 Roadmap
+## 🏁 What's Next
-We're continuously improving Envilder based on community feedback. Upcoming features include:
+Envilder already covers the full dev-to-production lifecycle with CLI, GitHub Action,
+and runtime SDKs for .NET and Python. Here's what's coming:
-- ✅ **Azure Key Vault support** — now available alongside AWS SSM
-- � **Exec mode** — inject secrets into a child process without writing to disk
-- 🔍 **Check/sync mode** for drift detection
-- 🌐 **Documentation website** — dedicated docs site with guides and examples
-- 🧠 **Auto-discovery** for bulk parameter fetching
-- 🔌 **More backends** (HashiCorp Vault, GCP Secret Manager, etc.)
+| Status | Feature |
+|--------|---------|
+| ✅ | Pull & Push: bidirectional sync between `.env` and cloud vault |
+| ✅ | Multi-provider: AWS SSM + Azure Key Vault |
+| ✅ | GitHub Action for CI/CD |
+| ✅ | .NET SDK and Python SDK |
+| 🚧 | TypeScript, Go, and Java SDKs |
+| 🚧 | GCP Secret Manager |
+| 🚧 | Exec mode (inject secrets without writing to disk) |
-👉 **[View full roadmap with priorities](./ROADMAP.md)**
+👉 **[Full roadmap with priorities](./ROADMAP.md)**
 ---
 ## 🤝 Contributing
-All help is welcome — PRs, issues, ideas!
+All help is welcome! PRs, issues, ideas.
 - 🔧 Use our [Pull Request Template](.github/pull_request_template.md)
 - 🧪 Add tests where possible
@@ -495,15 +395,16 @@ All help is welcome — PRs, issues, ideas!
 <p align="center">
   <a href="https://localstack.cloud" target="_blank" rel="noopener noreferrer">
-    <img src="./src/website/public/localstack-logo-horizontal-Dark.svg#gh-light-mode-only"
-      alt="LocalStack" height="40">
-    <img src="./src/website/public/localstack-logo-horizontal-Light.svg#gh-dark-mode-only"
-      alt="LocalStack" height="40">
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="./src/website/public/localstack-logo-horizontal-Light.svg">
+      <source media="(prefers-color-scheme: light)" srcset="./src/website/public/localstack-logo-horizontal-Dark.svg">
+      <img src="./src/website/public/localstack-logo-horizontal-Dark.svg" alt="LocalStack" height="40">
+    </picture>
   </a>
 </p>
 <p align="center">
-  Proudly supported by <a href="https://localstack.cloud">LocalStack</a> — powering Envilder's integration tests.
+  Supported by <a href="https://localstack.cloud">LocalStack</a>.
 </p>
 ---

package/ROADMAP.md CHANGED Viewed

@@ -31,15 +31,15 @@ or directly inside application code at runtime.
 | **Azure Key Vault** | Multi-backend via `$config` map-file section ([#90](https://github.com/macalbert/envilder/pull/90)) |
 | **Documentation website** | [envilder.com](https://envilder.com) |
 | **Onboarding documentation** | [Setup guide](./docs/requirements-installation.md) |
+| **.NET SDK** (`Envilder`) | First runtime SDK — load secrets into `IConfiguration` or `EnvilderClient`. AWS SSM + Azure Key Vault. [Documentation](./src/sdks/dotnet/README.md) |
+| **Python SDK** (`envilder`) | Runtime library for Python — Django, FastAPI, data pipelines. Sync API with `EnvilderClient`, `MapFileParser`, `SecretProviderFactory`. AWS SSM + Azure Key Vault. Published to PyPI. [Documentation](./src/sdks/python/README.md) |
 ### 🔥 Up Next
 | Feature | Priority | Notes |
 |---------|----------|-------|
 | **TypeScript SDK** (`@envilder/sdk`) | 🔴 High | Native runtime library — load secrets directly into `process.env` from a map-file. No `.env` file needed. Published to npm |
-| **Python SDK** (`envilder`) | 🔴 High | Runtime library for Python — Django/FastAPI/data pipelines. Published to PyPI |
 | **Go SDK** (`envilder`) | 🔴 High | Runtime library for Go — cloud-native apps, Kubernetes tooling. Published as Go module |
-| **.NET SDK** (`Envilder`) | 🔴 High | Runtime library for .NET — enterprise apps, Azure-native shops. Published to NuGet |
 | **Java SDK** (`envilder`) | 🔴 High | Runtime library for Java/Kotlin — Spring Boot, Android backends. Published to Maven Central |
 | **Map-file JSON Schema** | 🔴 High | Formal spec for the map-file format at `spec/` — serves as the contract between all SDKs and tools |
 | **SDK conformance tests** | 🔴 High | Language-agnostic test fixtures (JSON input → expected output) that all SDKs must pass |

package/docs/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,99 @@
+## [0.9.3] - 2026-04-17
+### Added
+* **Runtime SDKs now available** — Load secrets directly into your application
+  at startup, no `.env` file needed:
+  **.NET** ([NuGet](https://www.nuget.org/packages/Envilder)):
+  ```csharp
+  builder.Configuration.AddEnvilder(
+      "secrets-map.json", provider);
+  ```
+  **Python** ([PyPI](https://pypi.org/project/envilder)):
+  ```python
+  from envilder import Envilder
+  Envilder.load('secrets-map.json')
+  ```
+  **CLI** (as always):
+  ```bash
+  npx envilder --map=secrets-map.json --envfile=.env
+  ```
+  **GitHub Action:**
+  ```yaml
+  - uses: macalbert/envilder/github-action@v0
+    with:
+      map-file: secrets-map.json
+      env-file: .env
+  ```
+### Changed
+* **README rewritten** — Streamlined messaging, accurate comparison
+  tables, simplified quick start (2 steps), and reduced noise
+* **Comparison table corrected** — Infisical SDKs, dotenvx (successor
+  to dotenv-vault), and chamber capabilities now accurately represented
+  with verified references
+### Fixed
+* **ci(publish-npm):** Narrowed `paths` filter from `src/**` to
+  `src/envilder/**` so SDK/website/IaC changes no longer trigger the
+  npm publish workflow
+* **ci(publish-npm):** Replaced `npm view` with `curl` against the npm
+  registry API to avoid `.npmrc` auth failures during version detection
+* **ci(publish-website):** Added `docs/CHANGELOG.md` and
+  `docs/changelogs/**` to path filters so changelog updates trigger
+  website deployment
+### Dependencies
+* Bump `typescript` from 6.0.2 to 6.0.3
+---
+## [0.9.2] - 2026-04-02
+### Added
+* **LocalStack sponsor section** — Added sponsor section to website homepage and README with LocalStack logos (dark, light, color variants) and a new `Sponsors.astro` component ([#136](https://github.com/macalbert/envilder/pull/136))
+* **SDK platform scaffolding** — Added placeholder structure under `src/sdks/` for future .NET, Go, Java, Python, and TypeScript SDK implementations
+* **Website test suite** — Added `tests/website/` with Vitest coverage for i18n utilities and Markdown helpers (`utils.test.ts`, `markdown.test.ts`)
+* **`BackToTop` component** — New scroll-to-top button component for the documentation website
+### Changed
+* **Project layout restructured for SDK platform readiness** ([#134](https://github.com/macalbert/envilder/pull/134)):
+  * Core domain layer moved from `src/envilder/` to `src/envilder/core/`
+  * Website moved from `src/apps/website/` to `src/website/`
+  * All imports, `tsconfig.json`, `package.json`, and workspace config updated accordingly
+* **Website UX improvements** — `DocsContent`, `HowItWorks`, `ThemeSwitcher`, `TerminalMockup`, and `BaseLayout` components updated; global CSS expanded; i18n keys added for new content
+### Fixed
+* **README:** Replace `#gh-light-mode-only` / `#gh-dark-mode-only` image fragments with a `<picture>` element using `prefers-color-scheme` media queries for reliable dark/light theme logo switching
+* **ci:** Update version check in publish workflow to use published version from npm
+### Dependencies
+* Bump `@aws-sdk/client-ssm` from 3.1019.0 to 3.1021.0 ([#140](https://github.com/macalbert/envilder/pull/140))
+* Bump `@aws-sdk/credential-providers` from 3.1019.0 to 3.1021.0 ([#142](https://github.com/macalbert/envilder/pull/142))
+* Bump `secretlint` from 11.4.0 to 11.4.1 ([#141](https://github.com/macalbert/envilder/pull/141))
+* Bump `@secretlint/secretlint-rule-preset-recommend` from 11.4.0 to 11.4.1 ([#144](https://github.com/macalbert/envilder/pull/144))
+* Bump `astro` from 6.1.1 to 6.1.2 ([#143](https://github.com/macalbert/envilder/pull/143))
+* Bump `actions/configure-pages` from 5 to 6 ([#139](https://github.com/macalbert/envilder/pull/139))
+* Bump `actions/deploy-pages` from 4 to 5 ([#138](https://github.com/macalbert/envilder/pull/138))
+* Bump `pnpm/action-setup` from 4 to 5 ([#137](https://github.com/macalbert/envilder/pull/137))
+---
 ## [0.9.1] - 2026-03-30
 ### Added

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "envilder",
-  "version": "0.9.2",
+  "version": "0.9.3",
   "description": "A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth",
   "homepage": "https://envilder.com",
   "author": {
@@ -38,7 +38,9 @@
     "release-major": "pnpm version major",
     "release-prerelease": "pnpm version prerelease",
     "dev:run": "node --env-file=dev.env --import tsx src/envilder/apps/cli/Index.ts",
-    "docker:up": "docker compose -f docker-compose.yml up -d",
+    "env:generate": "pnpx envilder --map=secrets-map.json --envfile=.env",
+    "env:ensure": "node -e \"require('fs').existsSync('.env')||process.exit(1)\" || pnpm env:generate",
+    "docker:up": "pnpm env:ensure && docker compose -f docker-compose.yml up -d",
     "docker:down": "docker compose -f docker-compose.yml down"
   },
   "keywords": [
@@ -123,6 +125,11 @@
       "protobufjs",
       "sharp",
       "ssh2"
-    ]
+    ],
+    "overrides": {
+      "defu": ">=6.1.5",
+      "lodash": ">=4.18.0",
+      "vite": ">=7.3.2"
+    }
   }
 }