Description
We currently rely on .env files for managing secrets, which exposes us to security risks (plaintext storage, accidental commits, AI tool exposure) and slows down developer onboarding.
This issue proposes introducing Varlock as a schema-driven configuration layer to securely manage environment variables and eliminate plaintext secrets from developer machines.
Objectives
- Replace
.env files with .env.schema
- Fetch secrets securely at runtime via providers (Google Secret Manager)
- Enable type-safe environment variables
- Prevent secret leakage (logs, git history, AI tools)
- Improve developer onboarding experience
Scope (Initial Implementation)
- Set up Varlock CLI in the project
- Create initial
.env.schema
- Integrate with one provider (start with Google Secrets manager)
- Update local dev workflow (
varlock run)
- Add basic CI/CD integration
Out of Scope
- Full migration of all existing services
- Multi-provider setup (phase 2)
Acceptance Criteria
- Application runs locally using
varlock run
- No
.env files required for setup
- Secrets are fetched securely at runtime
Notes
- This is a pilot implementation for one service
- Focus is on validating developer experience + security improvements
- Future phases will expand to additional providers and services
Description
We currently rely on
.envfiles for managing secrets, which exposes us to security risks (plaintext storage, accidental commits, AI tool exposure) and slows down developer onboarding.This issue proposes introducing Varlock as a schema-driven configuration layer to securely manage environment variables and eliminate plaintext secrets from developer machines.
Objectives
.envfiles with.env.schemaScope (Initial Implementation)
.env.schemavarlock run)Out of Scope
Acceptance Criteria
varlock run.envfiles required for setupNotes