Skip to content

feat: add keychain CLI commands#835

Merged
theoephraim merged 12 commits into
mainfrom
keychain-cli-namespace
Jun 25, 2026
Merged

feat: add keychain CLI commands#835
theoephraim merged 12 commits into
mainfrom
keychain-cli-namespace

Conversation

@theoephraim

@theoephraim theoephraim commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Member

Supersedes #820 (original work by @bjesuiter) — rebased onto main and pushed to this repo so it can be iterated on without the fork.

Adds a native varlock keychain CLI namespace for managing macOS Keychain-backed secrets, built on gunshi subcommands (matching cache):

  • keychain list — metadata-only view of matching Keychain items (filter + --keychain)
  • keychain set — store a secret (masked prompt or stdin) and optionally write a matching keychain(...) ref with --write-to
  • keychain import <file> — migrate sensitive plaintext values into Keychain. Edits the file in place by default (replacing each plaintext value with its keychain(...) ref); --write-to redirects refs to a different file and leaves the source untouched
  • keychain fix-access — grant Varlock's helper access to existing keychain(...) refs (by --account or --path)

Includes the Swift daemon actions (keychain-set, keychain-fix-access) with stable error codes, plus docs and tests.

Fixes beyond the original

  • import now loads the project env graph normally (respecting package.json varlock.loadPath) and locates the source file via its FileBasedDataSource, mirroring encrypt --file. Previously it loaded just the single file and always errored "without .env.schema".
  • import resolves the env graph before reading sensitivity (sensitivity is only finalized during resolution, so it was importing non-sensitive values), and stores the value from the input file's own parsed def rather than a resolved/overridden graph value (e.g. a .env.local override).

bjesuiter and others added 9 commits June 24, 2026 12:57
@bjesuiter @theoephraim
feat: add keychain CLI commands
dcdc1aa
@bjesuiter @theoephraim
fix keychain import schema requirement
1896153
@bjesuiter @theoephraim
fix keychain cli review findings
366af3c
@bjesuiter @theoephraim
fix keychain ACL scope validation
d7b5f3b
@theoephraim
refactor(keychain): use gunshi subCommands; merge bump files
4a03622
@theoephraim
feat(keychain): import takes positional file, defaults to in-place mi…
3d87ba4 
…gration

- import <file> positional (required) replaces the --from flag
- default rewrites the source file in place (plaintext -> keychain refs);
  --write redirects refs to a different file and leaves the source untouched
- fix: scan the source file's directory so sibling .env.schema is discovered
  (single-file load never surfaced the schema, so import always errored)
- fix: resolve env values before reading isSensitive, so only schema-sensitive
  values are imported (pre-resolution every item reports sensitive)
@theoephraim
refactor(keychain): extract collectSensitivePlaintextImports
f40960f 
Make it structural (and tested) that import stores the value from the input
file's own AST, not the env graph's resolved value (which a sibling file like
.env.local could override). Graph is consulted only for sensitivity.
@theoephraim
feat(keychain): rename --write flag to --write-to in set and import
9d4068a
@theoephraim
docs(keychain): document keychain list; fix stale --write suggestion
e5c475c
@github-actions

github-actions Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

bumpy-frog

The changes in this PR will be included in the next version bump.

minor Minor releases

  • varlock 1.8.0 → 1.9.0

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 varlock-website a72098e Commit Preview URL

Branch Preview URL		 Jun 25 2026, 12:34 AM

@theoephraim
refactor(keychain): load env graph normally for import, matching encrypt
295bcd2 
Instead of scanning the source file's directory, load the project graph the
normal way (respecting package.json varlock.loadPath) and locate the file via
its FileBasedDataSource, like `encrypt --file`. Values are read from the file's
own configItemDefs, so an override in a sibling file (.env.local) can't change
what gets stored.
@pkg-pr-new

pkg-pr-new Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/varlock@835

commit: befce96

@theoephraim
docs(keychain): clarify import loads the env graph and uses the named…
a72098e 
… file's value
@theoephraim
refactor(keychain): fail fast on set; report partial progress on inte…
befce96 
…rrupted import

- set: check for an existing Keychain item before prompting for the secret
- import: if a write fails mid-run, report how many were imported and that
  remaining plaintext can be re-imported with --force
@theoephraim theoephraim mentioned this pull request Jun 25, 2026
Closed
@theoephraim theoephraim merged commit 431902e into main Jun 25, 2026
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core:varlock core:website maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theoephraim @bjesuiter