hushenv 0.1.0 โ 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +54 -10
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,5 +1,10 @@
|
|
|
1
1
|
# hushenv
|
|
2
2
|
|
|
3
|
+
[](https://www.npmjs.com/package/hushenv)
|
|
4
|
+
[](https://github.com/hushenv/hushenv/blob/main/LICENSE)
|
|
5
|
+
[](https://github.com/hushenv/hushenv/actions/workflows/publish.yml)
|
|
6
|
+
[](https://www.npmjs.com/package/hushenv)
|
|
7
|
+
|
|
3
8
|
Keeps your secrets hush-hush ๐คซ โ a local secret manager for the agent era, starting with your `.env`.
|
|
4
9
|
|
|
5
10
|
Your `.env` files hold **references**, not secrets:
|
|
@@ -19,6 +24,8 @@ AI agents to read.
|
|
|
19
24
|
## Quickstart
|
|
20
25
|
|
|
21
26
|
```bash
|
|
27
|
+
npm i -g hushenv
|
|
28
|
+
|
|
22
29
|
hushenv init # master key -> OS keychain, empty vault
|
|
23
30
|
hushenv set DB_PASSWORD # hidden prompt
|
|
24
31
|
hushenv set RESEND_KEY --stdin # or pipe it in
|
|
@@ -40,6 +47,35 @@ hushenv run -f .env.local -- pnpm dev
|
|
|
40
47
|
Reference syntax: `{hushenv.NAME}` โ whole-value or embedded inside a larger
|
|
41
48
|
string. `{mysm.NAME}` and `{mysmtool.NAME}` are accepted as legacy aliases.
|
|
42
49
|
|
|
50
|
+
## Use with your stack
|
|
51
|
+
|
|
52
|
+
`hushenv run` injects resolved secrets into the environment of **any** child
|
|
53
|
+
process โ your app's language doesn't matter:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
hushenv run -- <your dev command>
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
Per-stack recipes with the framework-specific details:
|
|
60
|
+
|
|
61
|
+
| Stack | Guide |
|
|
62
|
+
|---|---|
|
|
63
|
+
| Next.js | [docs/nextjs.md](docs/nextjs.md) |
|
|
64
|
+
| NestJS | [docs/nestjs.md](docs/nestjs.md) |
|
|
65
|
+
| Express / plain Node | [docs/express.md](docs/express.md) |
|
|
66
|
+
| Vite | [docs/vite.md](docs/vite.md) |
|
|
67
|
+
| Python (FastAPI / Django / Flask) | [docs/python.md](docs/python.md) |
|
|
68
|
+
| Go | [docs/go.md](docs/go.md) |
|
|
69
|
+
| PHP / Laravel | [docs/php-laravel.md](docs/php-laravel.md) |
|
|
70
|
+
| Ruby / Rails | [docs/ruby-rails.md](docs/ruby-rails.md) |
|
|
71
|
+
| Rust | [docs/rust.md](docs/rust.md) |
|
|
72
|
+
|
|
73
|
+
They all work for the same reason: every mainstream dotenv loader (Node
|
|
74
|
+
dotenv, python-dotenv, godotenv, phpdotenv, dotenv-rails, dotenvy) refuses to
|
|
75
|
+
overwrite environment variables that already exist โ and hushenv sets the real
|
|
76
|
+
values *before* your app starts. Your framework keeps its `.env` loading;
|
|
77
|
+
the ref strings in the file are simply never used.
|
|
78
|
+
|
|
43
79
|
## Semantics
|
|
44
80
|
|
|
45
81
|
- Multiple `-f` files: loaded in order, the **first** occurrence of a key wins.
|
|
@@ -49,6 +85,20 @@ string. `{mysm.NAME}` and `{mysmtool.NAME}` are accepted as legacy aliases.
|
|
|
49
85
|
`hushenv set` commands to fix it. Exit code 2.
|
|
50
86
|
- Exit codes: `0` ok ยท `1` error ยท `2` missing secret.
|
|
51
87
|
|
|
88
|
+
## How it compares
|
|
89
|
+
|
|
90
|
+
| | Plaintext on disk | `.env` safe to commit | Agent-safe `.env` | Works offline | Price |
|
|
91
|
+
|---|---|---|---|---|---|
|
|
92
|
+
| plain `.env` + dotenv | yes ๐ฌ | no | no | yes | free |
|
|
93
|
+
| **hushenv** | no โ AES-256-GCM vault, key in OS keychain | yes โ refs only | yes | yes | free |
|
|
94
|
+
| dotenvx | no โ ciphertext in `.env` | yes โ ciphertext | partly โ private key sits in `.env.keys` | yes | free core, paid sync |
|
|
95
|
+
| 1Password `op run` | no | yes โ `op://` refs | yes | mostly | subscription |
|
|
96
|
+
| cloud secret managers | no | n/a | yes | no | usage-based |
|
|
97
|
+
|
|
98
|
+
Honest take: if your team needs shared secrets **today**, dotenvx sync or a
|
|
99
|
+
cloud manager solves that and hushenv doesn't yet โ team sync is what
|
|
100
|
+
hushenv Cloud (closed-source, paid) will add on top of this free core.
|
|
101
|
+
|
|
52
102
|
## No keychain? (CI, containers)
|
|
53
103
|
|
|
54
104
|
Set the master key via the environment instead:
|
|
@@ -87,17 +137,11 @@ apps/cli the hushenv CLI: ref resolution, run, prompts
|
|
|
87
137
|
`vault-core` never imports anything env-file- or CLI-specific. Future
|
|
88
138
|
surfaces (tray UI, MCP broker) sit on the same engine.
|
|
89
139
|
|
|
90
|
-
##
|
|
91
|
-
|
|
92
|
-
```bash
|
|
93
|
-
pnpm install
|
|
94
|
-
pnpm build
|
|
95
|
-
pnpm test
|
|
96
|
-
pnpm --filter hushenv dev -- --help # run from source
|
|
97
|
-
```
|
|
140
|
+
## Contributing
|
|
98
141
|
|
|
99
|
-
|
|
100
|
-
|
|
142
|
+
PRs welcome โ it's a small, readable codebase. Setup, tests, and how releases
|
|
143
|
+
work are in [CONTRIBUTING.md](CONTRIBUTING.md). Contributions are licensed
|
|
144
|
+
under Apache-2.0.
|
|
101
145
|
|
|
102
146
|
## Roadmap
|
|
103
147
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "hushenv",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.2",
|
|
4
4
|
"description": "Local secret manager for the agent era - encrypted vault, {hushenv.X} refs in .env, plaintext only at runtime.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -39,7 +39,7 @@
|
|
|
39
39
|
"commander": "^15.0.0",
|
|
40
40
|
"cross-spawn": "^7.0.6",
|
|
41
41
|
"dotenv": "^17.4.0",
|
|
42
|
-
"@hushenv/vault-core": "0.1.
|
|
42
|
+
"@hushenv/vault-core": "0.1.2"
|
|
43
43
|
},
|
|
44
44
|
"devDependencies": {
|
|
45
45
|
"@types/cross-spawn": "^6.0.6",
|