mfazrinizar · mfazrinizar · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,66 @@
+name: CI
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+
+# The root package has no cross-repo deps — only pointycastle (hosted).
+# example/ depends on flutter_secure_dotenv_generator ^2.0.0 which is
+# not yet on pub.dev, so its resolution warns during dart pub get.
+# We use "|| true" because the root package always resolves; only the
+# example causes exit 1. Once the generator is published, remove "|| true".
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dart-lang/setup-dart@v1
+        with:
+          sdk: stable
+      - run: dart pub get || true
+      - run: dart format --set-exit-if-changed .
+      - run: dart analyze --fatal-infos lib/ test/
+
+  test:
+    name: Test
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        sdk: [stable, "3.8.0"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dart-lang/setup-dart@v1
+        with:
+          sdk: ${{ matrix.sdk }}
+      - run: dart pub get || true
+      - run: dart test
+
+  dry-run:
+    name: Publish Dry Run
+    runs-on: ubuntu-latest
+    needs: [analyze, test]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dart-lang/setup-dart@v1
+        with:
+          sdk: stable
+      - run: dart pub get || true
+      - run: dart pub publish --dry-run
+
+  pana:
+    name: Package Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dart-lang/setup-dart@v1
+        with:
+          sdk: stable
+      - run: dart pub global activate pana
+      - run: dart pub get || true
+      - run: dart pub global run pana --no-warning .
diff --git a/.gitignore b/.gitignore
@@ -8,4 +8,7 @@ pubspec.lock
 
 .vscode
 
-.env*
+.env*
+
+# Encryption key files generated by build_runner — never commit these.
+encryption_key.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,23 @@
-## 1.0.0
+## 2.0.0
 
-- Initial version.
-- Update dependencies and refactor from discontinued secure_dotenv. 
+- **BREAKING**: Updated `pointycastle` dependency from `^3.9.1` to `^4.0.0`.
+- **BREAKING**: Minimum Dart SDK bumped from `^3.6.0` to `^3.8.0`.
+- **Security**: Removed insecure `String.fromEnvironment()` / `--dart-define` pattern from examples (addresses [#2](https://github.com/mfazrinizar/flutter_secure_dotenv/issues/2)).
+- Added `SECURITY.md` with detailed encryption key management guidance.
+- Updated README with security warnings and recommended key provisioning approaches.
+- Updated `lints` to `^6.1.0`, `test` to `^1.29.0`.
+- Enhanced test coverage from 8 to 43 tests (padding, random byte generation, edge cases).
+- Added fully working Flutter example app with hardcoded key + gitignore approach.
+- Added 100% `public_member_api_docs` coverage.
+- Made `AESCBCEncrypter` non-instantiable (static-only utility class).
+- Added library-level dartdoc comments.
+- Added `CONTRIBUTING.md`.
 
 ## 1.0.1
 
-- Refactor README and example.
+- Refactor README and example.
+
+## 1.0.0
+
+- Initial version.
+- Update dependencies and refactor from discontinued secure_dotenv.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,68 @@
+# Contributing to flutter_secure_dotenv
+
+Thank you for your interest in contributing! This guide will help you get started.
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork:
+   ```bash
+   git clone https://github.com/<your-username>/flutter_secure_dotenv.git
+   ```
+3. Install dependencies:
+   ```bash
+   dart pub get
+   ```
+
+## Development Workflow
+
+### Branching
+
+- `main` — stable releases published to pub.dev
+- `dev` — active development; PRs should target this branch
+
+Create a feature branch from `dev`:
+
+```bash
+git checkout -b feature/my-feature dev
+```
+
+### Code Quality
+
+Before submitting a PR, make sure all checks pass:
+
+```bash
+dart format --set-exit-if-changed .
+dart analyze --fatal-infos
+dart test
+```
+
+CI runs these automatically on every push and pull request.
+
+### Tests
+
+All new features and bug fixes **must** include tests. Run the test suite with:
+
+```bash
+dart test
+```
+
+## Pull Requests
+
+1. Keep PRs focused — one feature or fix per PR.
+2. Write clear commit messages.
+3. Update `CHANGELOG.md` under an `## Unreleased` section.
+4. Ensure CI passes before requesting review.
+
+## Reporting Issues
+
+- Use [GitHub Issues](https://github.com/mfazrinizar/flutter_secure_dotenv/issues).
+- Include Dart SDK version, package version, and a minimal reproduction.
+
+## Security
+
+If you discover a security vulnerability, please see [SECURITY.md](SECURITY.md) for responsible disclosure instructions.
+
+## Code of Conduct
+
+Be respectful and constructive in all interactions. We follow the [Dart community guidelines](https://dart.dev/community).
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,4 +8,7 @@ pubspec.lock @@
     .vscode
-    .env*
+    .env*
+    # Encryption key files generated by build_runner — never commit these.
+    encryption_key.json