You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AWS Secrets Manager (awssm) provider: support for a ?prefix= query
parameter in the provider URI (e.g., awssm://us-east-1?prefix=myteam).
The prefix is prepended to all secret names
(myteam/secretspec/{project}/{profile}/{key}). Closes #92.
Provider aliases can now be declared at the project level in a top-level [providers] table of secretspec.toml. Aliases declared there are visible
to per-secret providers = [...] lists and to --provider/SECRETSPEC_PROVIDER,
and are merged with the existing user-level [defaults.providers] map in ~/.config/secretspec/config.toml. On name conflicts the project entry wins,
so a team's checked-in mapping cannot be silently shadowed by a stale local
config. Closes #79 and
addresses the "share aliases via VCS" half of #90.
Fixed
Profile-not-found errors no longer surface as the confusing Secret 'Profile 'X' not found' not found. They now use the dedicated InvalidProfile variant and include the list of profiles defined in secretspec.toml, e.g. Invalid profile: 'production' is not defined in secretspec.toml. Available profiles: default, dev.
Affects check, run, get, set, and import. Surfaced via #79.
Install secretspec 0.11.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.11.0/secretspec-installer.sh | sh
secretspec check: optional secrets that aren't set no longer render with a
green ✓ and aren't counted as "found" in the trailing summary. They now
display with the same blue ○ (optional) styling already used in the
missing-required path, and the summary appends , N optional whenever
optional secrets are absent (e.g. Summary: 4 found, 0 missing, 1 optional).
If every optional secret is set, the summary line stays in its previous X found, Y missing form. Fixes #72.
Install secretspec 0.10.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.10.1/secretspec-installer.sh | sh
Proton Pass provider that stores secrets in a Proton Pass vault via the proton-pass CLI. Configured as protonpass://<vault>; items are
organized per project / profile and read / write both go through the
CLI.
Fixed
OnePassword provider: the auth preflight now probes op vault list instead
of op whoami. Under the 1Password desktop app's delegated-session
integration, op whoami reports account is not signed in even when op item get / op vault list work fine — so every secret read or write
failed at preflight with a misleading "not signed in" error. op vault list exercises the actual access path and succeeds when the desktop app
can serve secrets. Additionally, OP_SESSION_* environment variables
(left over from eval $(op signin)) are now stripped before spawning op so a stale shell session can't shadow the desktop integration. Auth
failure and install hints now point users at desktop integration as the
primary local-dev path. Fixes #80.
Vault / OpenBao provider: HTTPS requests now trust certificates from the
operating system trust store (and honor SSL_CERT_FILE / SSL_CERT_DIR),
so servers fronted by a private / internal CA work without modification.
Previously the bundled webpki-roots set was the only trust anchor and any
non-public CA produced Failed to connect to Vault ... error sending request. Switches the reqwest workspace dependency from rustls-tls to rustls-tls-native-roots. Fixes #85.
Install secretspec 0.10.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.10.0/secretspec-installer.sh | sh
Dropped the serde-envfile dependency in favor of a small in-tree .env serializer. The previous git-pinned fork blocked publishing to
crates.io; the new serializer applies the same escapes (backslash,
double quote, dollar, newline) that the fork added and emits keys in
sorted order for stable diffs.
Install secretspec 0.9.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.9.1/secretspec-installer.sh | sh
The --provider CLI flag now correctly takes precedence over the SECRETSPEC_PROVIDER environment variable. Previously the env var was
consulted before the value forwarded from --provider (via set_provider),
so users could not temporarily override the provider on the command line
while the env var was set. Fixes #77.
Per-secret providers = [...] chains now behave as a true fallback chain
when an upstream provider errors (e.g. a 403 from a vault the current user
cannot access). Previously the first provider's error short-circuited the
whole operation; now the error is logged as a warning and the next provider
in the chain is tried. The original error is only surfaced if every
provider in the chain failed (so genuine outages still bubble up), or if
the secret has no alternative to fall back to. Fixes #83.
secretspec run now removes the temporary files it creates for as_path = true secrets after the child process exits. Previously the
files were leaked under /tmp because std::process::exit skipped the
destructors that own them. Fixes #71.
Provider URIs now support spaces and special characters in names
(e.g., onepassword://Home Lab). All providers receive automatically
percent-decoded values via a new ProviderUrl wrapper type.
dotenv provider: setting a secret no longer corrupts neighboring values
that contain double quotes, backslashes, dollar signs, or newlines
(e.g. JSON values). The underlying serde-envfile serializer did not
escape these characters; fix is pinned via a fork until lucagoslar/serde-envfile#6
lands upstream. Fixes #74.
--provider (and SECRETSPEC_PROVIDER) is now honored on every command
even when a providers = [...] chain is configured for the secret or
profile. Previously set, get, check, import, and run silently
used the first provider in the chain and ignored the explicit override,
making secretspec set --provider <alias> a no-op against the requested
target. The flag now consistently takes precedence: set/import/
generation write only to the chosen provider, and get/validate read
only from it (no chain fallback). Provider aliases declared in ~/.config/secretspec/config.toml can now be passed directly to --provider. Fixes #81.
Added
BWS (Bitwarden Secrets Manager) provider with async SDK integration, secret caching, and full read-write support (requires --features bws)
Changed
secretspec-derive now depends on secretspec with default-features = false, avoiding pulling in CLI and provider features when only the derive macro is used.
Install secretspec 0.9.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.9.0/secretspec-installer.sh | sh
All provider features (gcsm, awssm, vault) are now enabled by default
AWS Secrets Manager (awssm) provider: batch fetching via BatchGetSecretValue API,
reducing N sequential API calls to ceil(N/20) batched calls. For 30 secrets this means
2 API calls instead of 30. Note: requires the secretsmanager:BatchGetSecretValue
IAM permission in addition to existing permissions.
Install secretspec 0.8.2
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.8.2/secretspec-installer.sh | sh
rsa_private_key secret generation type: generates RSA private keys in PKCS1 PEM format,
defaults to 2048 bits, configurable via generate = { bits = 4096 }
Fixed
Check provider authentication (e.g. OnePassword, LastPass) before prompting
user for secrets, via a PreflightGuard that runs the check exactly once
per provider instance
Install secretspec 0.8.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.8.1/secretspec-installer.sh | sh
HashiCorp Vault / OpenBao (vault) provider for Vault KV v1/v2 secret storage, with support
for namespaces, TLS configuration, and OpenBao compatibility (requires --features vault)
Support running secretspec from subdirectories: the CLI now walks up the directory tree to find the nearest secretspec.toml, similar to cargo and git. Also adds a -f/--file flag (and SECRETSPEC_FILE env var) to explicitly specify the config file path (#59)
Changed
Extract shared block_on async helper from AWSSM and GCSM providers into provider::block_on
Fixed
GCSM provider no longer panics when called from within an existing tokio runtime
Install secretspec 0.8.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.8.0/secretspec-installer.sh | sh
Keyring and pass providers now support folder_prefix via URI (e.g., keyring://secretspec/shared/{profile}/{key})
to share secrets across projects, matching the existing OnePassword and LastPass behavior
Changed
Support XDG_CONFIG_HOME on macOS by switching from directories to etcetera crate.
Existing macOS configs at ~/Library/Application Support/secretspec/ are automatically
migrated to ~/.config/secretspec/ (#28)
Fixed
Reject empty values when setting a secret
Install secretspec 0.7.2
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.7.2/secretspec-installer.sh | sh
