{"id":43303015,"url":"https://github.com/dinanathdash/envault","last_synced_at":"2026-04-20T13:00:56.156Z","repository":{"id":333912243,"uuid":"1127105829","full_name":"DinanathDash/Envault","owner":"DinanathDash","description":"Auditable .env secret manager featuring aggressive CLI safeguards and GitHub JIT access.","archived":false,"fork":false,"pushed_at":"2026-03-28T05:01:20.000Z","size":40696,"stargazers_count":3,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-28T08:50:20.593Z","etag":null,"topics":["cli","developer-tools","devsecops","dotenv","jit-access","secret-manager","secrets-management","security"],"latest_commit_sha":null,"homepage":"https://www.envault.tech","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DinanathDash.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-03T07:24:19.000Z","updated_at":"2026-03-28T05:01:22.000Z","dependencies_parsed_at":"2026-03-28T07:15:31.197Z","dependency_job_id":null,"html_url":"https://github.com/DinanathDash/Envault","commit_stats":null,"previous_names":["dinanathdash/envault"],"tags_count":35,"template":false,"template_full_name":null,"purl":"pkg:github/DinanathDash/Envault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinanathDash%2FEnvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinanathDash%2FEnvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinanathDash%2FEnvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinanathDash%2FEnvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DinanathDash","download_url":"https://codeload.github.com/DinanathDash/Envault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DinanathDash%2FEnvault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31313859,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","developer-tools","devsecops","dotenv","jit-access","secret-manager","secrets-management","security"],"created_at":"2026-02-01T20:09:08.576Z","updated_at":"2026-04-20T13:00:56.086Z","avatar_url":"https://github.com/DinanathDash.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Envault\n\n**Envault** is a secure, modern vault application built with Next.js, Supabase, and Tailwind CSS. It provides a robust authentication system and a sleek user interface for storing and managing sensitive information.\n\n## Features\n\n- **Bank-Grade Security**: AES-256-GCM encryption with master/data key hierarchy and automatic key rotation.\n- **Project Workspaces**: Organize secrets into distinct projects for better management.\n- **Semantic Routing**: Clean, GitHub-style URLs (`/[username]/[project-slug]`) for easy sharing and navigation.\n- **Team Collaboration**: Secure project sharing with strict Role-Based Access Control:\n - _Owner_: Full administrative control (Rename, Delete, Manage Team).\n - _Editor_: Active contributor (Read/Write secrets, request to Share).\n - _Viewer_: Read-only access to variables.\n- **Secure Authentication**: Powered by Supabase Auth for robust user management, including **Passkey** support for passwordless, biometric login.\n- **Modern UI/UX**: Built with Tailwind CSS, Shadcn UI, and Framer Motion for a premium experience.\n- **Interactive 3D Elements**: High-performance 3D visuals powered by React Three Fiber.\n- **Keyboard First**: Navigate efficiently with fully customizable, conflict-free hotkeys.\n- **Responsive Design**: Fully responsive layout that works seamlessly on desktop and mobile.\n- **Dark Mode Support**: Built-in support for light and dark themes.\n- **CLI Support**: Manage your secrets directly from your terminal, featuring automatic non-blocking background update checks.\n- **Real-time System Status**: Monitor system health, active incidents, and historical uptime with a dedicated status page.\n- **Dedicated Support Page**: Integrated support features directly within the app to help users manage troubleshooting options efficiently.\n- **Comprehensive Documentation**: Integrated docs site with guides, API reference, and CLI documentation.\n\n## CLI\n\nEnvault natively supports the Model Context Protocol (MCP), so AI coding assistants like Claude Desktop, Cursor, and RooCode/Cline can pull and push your secure environments effortlessly. \n\n```bash\n# Automatically configure your AI clients (Global \u0026 Local Workspaces)\nenvault mcp install\n\n# Or install strictly for the current workspace\nenvault mcp install --local\n```\n\n### Installation\n\n**macOS \u0026 Linux (Universal)**\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/DinanathDash/Envault/main/install.sh | sh\n```\n\n**macOS (Homebrew)**\n\n```bash\nbrew tap DinanathDash/envault\nbrew install --formula envault\n```\n\nHomebrew cask installs are deprecated. If you installed via cask, migrate with:\n\n```bash\nbrew uninstall --cask dinanathdash/envault/envault\nbrew install --formula envault\n```\n\nFor more details, check out the [CLI Documentation](./cli-go/README.md).\n\n### Local Testing\n\nEnvault local development now uses `portless` with HTTPS hostnames.\n\n```bash\nnpm install -g portless\n```\n\nTo use the Envault CLI with the local development server, set the `ENVAULT_CLI_URL` environment variable:\n\n```bash\nexport ENVAULT_CLI_URL=\"https://envault.localhost/api/cli\"\nenvault login\n```\n\n## Security Architecture\n\nEnvault uses a hybrid encryption model to ensure maximum security:\n\n1. **Master Key**: A 32-byte key stored in environment variables, used solely to encrypt/decrypt Data Keys.\n2. **Data Keys**: Unique keys for encrypting actual data. These are stored encrypted in the database.\n3. **Key Rotation**: Data keys can be rotated. The active key is cached in Redis for high performance without compromising security.\n4. **AES-256-GCM**: Industry-standard authenticated encryption for all secrets.\n\n## Tech Stack\n\n- **Framework**: [Next.js](https://nextjs.org/) (App Router)\n- **Database \u0026 Auth**: [Supabase](https://supabase.com/)\n- **KV Store**: [Upstash Redis](https://upstash.com/)\n- **Documentation**: [Fumadocs](https://www.fumadocs.dev/)\n- **Styling**: [Tailwind CSS](https://tailwindcss.com/)\n- **UI Components**: [Shadcn UI](https://ui.shadcn.com/) / [Radix UI](https://www.radix-ui.com/)\n- **3D \u0026 Graphics**: [React Three Fiber](https://r3f.docs.pmnd.rs/) / [Three.js](https://threejs.org/)\n- **Animations**: [Framer Motion](https://www.framer.com/motion/)\n- **Icons**: [Lucide React](https://lucide.dev/)\n- **State Management**: [Zustand](https://github.com/pmndrs/zustand)\n- **Forms**: [React Hook Form](https://react-hook-form.com/) + [Zod](https://zod.dev/)\n- **Notifications**: [Sonner](https://sonner.emilkowal.ski/)\n- **Analytics**: [Vercel Analytics](https://vercel.com/analytics)\n\n## Getting Started\n\nFollow these steps to get the project running locally.\n\n### Prerequisites\n\n- Node.js 18+ installed\n- A Supabase project set up\n\n### Installation\n\n1. **Clone the repository**\n\n ```bash\n git clone https://github.com/dinanathdash/envault.git\n cd envault\n ```\n\n2. **Install dependencies**\n\n ```bash\n npm install\n # or\n yarn install\n # or\n pnpm install\n # or\n bun install\n ```\n\n3. **Environment Setup**\n\n Copy the example environment file:\n\n ```bash\n cp .env.example .env.local\n ```\n\n Open `.env.local` and add your Supabase credentials:\n\n ```env\n NEXT_PUBLIC_SUPABASE_URL=your-project-url\n NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key\n\n # Generate a secure key: node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\"\n ENCRYPTION_KEY=your-64-char-hex-key\n\n SUPABASE_SERVICE_ROLE_KEY=your-service-role-key\n\n UPSTASH_REDIS_REST_URL=your-upstash-url\n UPSTASH_REDIS_REST_TOKEN=your-upstash-token\n\n # Used for securely signing and verifying frontend API mutations (POST, PUT, DELETE, PATCH)\n NEXT_PUBLIC_API_SIGNATURE_SALT=your-secure-random-hmac-secret\n\n ```\n\n4. **Run the development server**\n\n ```bash\n npm run dev\n ```\n\n Open [https://envault.localhost:1355](https://envault.localhost:1355) with your browser to see the result.\n\n5. **Test Email Configuration (Optional)**\n\n To verify that your Resend API configuration is working, you can send a test email to yourself:\n\n ```bash\n npm run test:email -- your-email@example.com\n ```\n\n## Monorepo Setup Map\n\nThis repository contains multiple publishable/runtime components. Use this map when cloning and contributing.\n\n| Folder | Purpose | Install | Common Commands |\n|---|---|---|---|\n| `./` | Main Next.js app | `npm install` | `npm run dev`, `npm run build`, `npm run lint`, `npm run test:all` |\n| `cli-go/` | Go CLI (`envault`) | `go mod download` | `go test ./...`, `go build ./...` |\n| `src/lib/sdk/` | npm SDK package (`@dinanathdash/envault-sdk`) | `npm install` | `npm run typecheck`, `npm run build` |\n| `mcp-server/` | npm MCP package (`@dinanathdash/envault-mcp-server`) | `npm install` | `npm run check`, `npm start` |\n| `cli-wrapper/` | npm wrapper for CLI install/bootstrap | `npm install` | `node install.js` |\n\n### First-time contributor flow\n\n1. Clone and install root dependencies:\n\n```bash\ngit clone https://github.com/dinanathdash/envault.git\ncd envault\nnpm install\n```\n\n2. Copy env file and configure required keys:\n\n```bash\ncp .env.example .env.local\n```\n\n3. Install package-local dependencies for publishable subpackages:\n\n```bash\ncd src/lib/sdk \u0026\u0026 npm install\ncd ../../.. \u0026\u0026 cd mcp-server \u0026\u0026 npm install\ncd ..\n```\n\n4. Validate everything in one pass:\n\n```bash\nnpm run lint\nnpm run test:all\nnpm run build\n```\n\n## Package Publishing + Workflows\n\n### npm packages\n\n- SDK: `@dinanathdash/envault-sdk` (source: `src/lib/sdk/`)\n- MCP: `@dinanathdash/envault-mcp-server` (source: `mcp-server/`)\n\n### GitHub Actions workflows\n\n- CLI release workflow: `.github/workflows/publish.yml`\n- SDK publish workflow: `.github/workflows/publish-sdk.yml`\n- MCP publish workflow: `.github/workflows/publish-mcp.yml`\n\nEach package versions independently via semantic-release when changes occur in its own folder:\n\n- CLI tags: `v\u003cversion\u003e`\n- SDK tags: `sdk-v\u003cversion\u003e`\n- MCP tags: `mcp-v\u003cversion\u003e`\n\nThis keeps SDK and MCP release streams decoupled from CLI version bumps.\n\n### Local prepublish checks\n\n```bash\nnpm run sdk:check\nnpm run mcp:check\n```\n\n### Manual publish commands\n\n```bash\nnpm run sdk:publish\nnpm run mcp:publish\n```\n\n## Version and Update Commands\n\nUse these commands so users can quickly verify what version they are on and update safely.\n\n### CLI (`envault`)\n\nCheck installed CLI version:\n\n```bash\nenvault --version\n```\n\nUpdate via Homebrew formula:\n\n```bash\nbrew update\nbrew untap dinanathdash/envault || true\nbrew tap dinanathdash/envault\nbrew upgrade --formula envault\n```\n\n### SDK (`@dinanathdash/envault-sdk`)\n\nCheck installed and latest SDK versions:\n\n```bash\nnpm ls @dinanathdash/envault-sdk\nnpm view @dinanathdash/envault-sdk version\n```\n\nUpdate SDK (preferred via Envault CLI):\n\n```bash\nenvault sdk update\n```\n\nUpdate SDK (npm fallback):\n\n```bash\nnpm install @dinanathdash/envault-sdk@latest\n```\n\nRuntime behavior:\n- SDK prints a warning when a newer SDK version exists.\n- SDK blocks execution when below minimum supported version configured by server.\n\n### MCP (`@dinanathdash/envault-mcp-server`)\n\nCheck installed MCP version (standalone MCP package installs):\n\n```bash\nenvault-mcp-server --version\n```\n\nCheck MCP update availability (standalone MCP package installs):\n\n```bash\nenvault-mcp-server --check-update\n```\n\nUpdate MCP integration (preferred via Envault CLI):\n\n```bash\nenvault mcp update\n```\n\nUpdate MCP globally (npm fallback for standalone installs):\n\n```bash\nnpm install -g @dinanathdash/envault-mcp-server@latest\n```\n\n## License\n\nCopyright (c) 2026 Dinanath Dash. All Rights Reserved.\n\nThe source code is provided strictly for transparency, security auditing, and education. This is not open-source software.\n\nYou may inspect and analyze the code for security purposes. You may not execute, compile, run, deploy, copy, modify, fork, redistribute, sublicense, or provide any service using this code without prior explicit written permission.\n\nSee the [LICENSE](LICENSE) file for the complete legal terms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdinanathdash%2Fenvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdinanathdash%2Fenvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdinanathdash%2Fenvault/lists"}