Skip to content

Releases: git-stunts/vault

v1.0.0–The Airlock

12 Jan 16:12
@flyingrobots flyingrobots
v1.0.0
b7e399b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0–The Airlock Latest
Latest

Release Notes: v1.0.0 "The Airlock"

@git-stunts/vault v1.0.0 marks the official stable release of the "Zero-Secret Architecture" primitive.

For too long, we have accepted .env files as a necessary evil. They act as plain-text liabilities sitting on your disk, begging to be accidentally committed or leaked. Vault changes the contract: your application no longer owns the secret; it borrows it from the Operating System's secure enclave at runtime.

This release brings full parity across macOS, Windows, and Linux, alongside first-class support for the modern JavaScript runtime triad: Node.js, Bun, and Deno.

Core Features

Zero-Secret Architecture: Eliminates plain-text credentials from disk. Secrets live in Keychain (macOS), Libsecret (Linux), or Credential Manager (Windows).

Polyglot Runtime Support:

  • Node.js (>=20): Uses child_process to bridge to OS tools.
  • Bun (>=1.3.5): Native adapter using Bun.spawnSync and strict IPC.
  • Deno (>=2.0): Native adapter using Deno.Command with secure input masking via @std/cli.

Interactive Recovery: If a secret is missing in CI or local dev, Vault can gracefully prompt the user to enter it, automatically securing it for future runs.

Architecture & Engineering

This is not a simple wrapper script. v1.0.0 implements a strict Hexagonal Architecture (Ports & Adapters) to ensure stability and testability:

Domain Isolation: Core logic (VaultService) is decoupled from the runtime. It does not know if it is running in Node, Bun, or Deno.

Infrastructure Ports: The CommandRunnerPort interface abstracts shell execution, allowing for platform-specific implementations that respect runtime security models.

Hermetic Verification: The release is verified against a matrix of Docker containers (node-test, bun-test, deno-test) ensuring that the code behaves deterministically regardless of the host environment.

Installation

npm install @git-stunts/vault
# or
bun add @git-stunts/vault
# or
deno add npm:@git-stunts/vault

Usage Example

import Vault from '@git-stunts/vault';

// 1. Initialize (Auto-detects Runtime & OS)
const vault = new Vault({ account: 'my-distributed-system' });

// 2. The "Zero-Secret" Pattern
// If 'API_KEY' isn't in the Vault, this PROMPTS the user securely,
// stores it in the OS Keychain, and returns it.
const apiKey = await vault.ensureSecret({
  target: 'API_KEY',
  promptMessage: 'Please enter your production API Key'
});

// 3. Priority Resolution (Env Var override support)
const dbPass = vault.resolveSecret({
  envKey: 'DB_PASS_OVERRIDE',
  vaultTarget: 'db-password-prod'
});

Requirements

  • macOS: No deps (uses native security).
  • Linux: libsecret-tools (standard on most distros).
  • Windows: PowerShell CredentialManager module.

Full Changelog: https://github.com/git-stunts/vault/commits/v1.0.0

airlock

Assets 2
Loading