{"id":50859574,"url":"https://github.com/ebisawa/kapsaro","last_synced_at":"2026-06-14T20:34:47.182Z","repository":{"id":345758901,"uuid":"1187203005","full_name":"ebisawa/kapsaro","owner":"ebisawa","description":"Offline-first CLI for sharing encrypted .env files and other secrets through Git","archived":false,"fork":false,"pushed_at":"2026-06-14T15:41:12.000Z","size":4096,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-14T20:34:27.988Z","etag":null,"topics":["cli","dotenv","encyrption","git","secrets"],"latest_commit_sha":null,"homepage":"https://www.kapsaro.com/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ebisawa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-20T13:08:22.000Z","updated_at":"2026-06-14T15:41:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ebisawa/kapsaro","commit_stats":null,"previous_names":["ebisawa/secretenv","ebisawa/kapsaro"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/ebisawa/kapsaro","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ebisawa%2Fkapsaro","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ebisawa%2Fkapsaro/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ebisawa%2Fkapsaro/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ebisawa%2Fkapsaro/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ebisawa","download_url":"https://codeload.github.com/ebisawa/kapsaro/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ebisawa%2Fkapsaro/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34337551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","dotenv","encyrption","git","secrets"],"created_at":"2026-06-14T20:34:46.487Z","updated_at":"2026-06-14T20:34:47.174Z","avatar_url":"https://github.com/ebisawa.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kapsaro\n\n[日本語版 README はこちら](README_ja.md)\n\n\u003e [!NOTE]\n\u003e This project has been renamed from SecretEnv to Kapsaro.\n\n`kapsaro` is an offline-first CLI for development teams that want to share API tokens, database passwords, certificates, `.env` values, and other development secrets without passing them around in plaintext.\n\nIt fits teams that already use Git and pull-request review as their daily workflow. Secrets, member changes, removals, and key rotation are represented as encrypted repository changes, so the team can review secret-sharing decisions through the same process they already use for code.\n\nNo dedicated cloud service, SaaS secret platform, or always-on server is required. Encryption, decryption, verification, and recipient updates work locally and offline, while Git remains the shared transport and review layer.\n\nThis project is currently in beta. Feedback from trials, design reviews, and realistic team workflows is welcome before production adoption.\n\n## What You Can Do First\n\nKapsaro lets you move these workflows into Git review:\n\n- encrypt an existing `.env` file and share it without committing plaintext\n- decrypt encrypted secrets just in time to run normal development commands\n- sync future recipients after a member is removed\n\n```bash\n# Encrypt an existing .env file into Git-managed storage\nkapsaro init --member-handle alice@example.com\nkapsaro import .env\n\n# Run the app without distributing a plaintext .env file\nkapsaro run -- npm start\n\n# Remove a member from future sharing\nkapsaro member remove old-member@example.com\nkapsaro rewrap\n```\n\n## What Encryption Alone Does Not Solve\n\nEven if secret files are encrypted, teams still need to decide:\n\n- when a new member should receive each secret\n- whether a removed member has been excluded from future sharing\n- whether values a removed member could previously read need to be updated\n\nKapsaro records removed-member history and shows entry-level signals that help teams decide which `.env` values may need updates. Secret updates and membership changes are stored as files, so teams can review them in normal pull requests. For the broader positioning, see the [Product Brief](guides/product_brief_en.md).\n\n## Security Highlights\n\n`kapsaro` encrypts values that should stay private, such as access tokens, API keys, and certificates, so each member uses their own key material to decrypt. Teams do not need to distribute one shared encryption key; only members included as recipients can read the encrypted content.\n\nThe design is built around five ideas:\n\n- encrypt secrets before they are stored in the repository, so a repository shared by many members can still carry sensitive values safely\n- use public-key encryption to share the information needed for decryption separately with each recipient\n- use proven, standards-based cryptographic schemes including HPKE, Ed25519 signatures, XChaCha20-Poly1305, and HKDF-SHA256\n- require no dedicated server or SaaS; encryption, decryption, verification, and recipient updates are designed to work offline, even without network access\n- verify signatures and recipient information before decrypting or updating encrypted artifacts\n\n## Install\n\n### Homebrew (macOS / Linux)\n\n```bash\nbrew tap ebisawa/kapsaro\nbrew install kapsaro\n```\n\n### Shell script\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/ebisawa/kapsaro/main/install.sh | sh\n```\n\nThe installer verifies each release archive's build provenance with GitHub Artifact Attestations using the GitHub CLI (`gh`), and verification is required by default. If `gh` is not installed, or to skip verification deliberately, set `KAPSARO_INSECURE=1` to install without it.\n\n### Build from source\n\n```bash\ngit clone \u003ckapsaro-repo\u003e\ncd kapsaro\ncargo install --path .\n```\n\n## Getting Started\n\n### 1. Initialize a workspace\n\n```bash\ncd /path/to/your-git-repo\nkapsaro init --member-handle alice@example.com\n```\n\nThis creates a `.kapsaro/` directory, generates your key pair, and registers you as the first member.\nIf the workspace already exists, `init` does nothing. Use `kapsaro join` to submit a key to an existing workspace.\n\n### 2. Add secrets\n\n```bash\n# Add individual entries\nkapsaro set DATABASE_URL \"postgres://user:pass@localhost/mydb\"\nkapsaro set API_KEY \"sk-your-api-key\"\n\n# Or import an existing .env file\nkapsaro import .env\n```\n\n### 3. Commit to Git\n\n```bash\ngit add .kapsaro/\ngit commit -m \"Initialize kapsaro workspace\"\n```\n\n### 4. Use your secrets\n\n```bash\n# Retrieve a single value\nkapsaro get DATABASE_URL\n\n# Run a command with all secrets injected as environment variables\nkapsaro run -- ./my-app\n```\n\nCheck workspace health before onboarding, CI setup, or release work:\n\n```bash\nkapsaro doctor\n```\n\nFor detailed setup and operational guidance, see the [User Guide](guides/user_guide_en.md).\n\n## Read More\n\nIf you want the high-level overview first:\n\n- [Product Brief (English)](guides/product_brief_en.md)\n- [Product Brief (Japanese)](guides/product_brief_ja.md)\n\nIf you want setup and operational guidance:\n\n- [User Guide (English)](guides/user_guide_en.md)\n- [User Guide (Japanese)](guides/user_guide_ja.md)\n- [Windows / WSL2 Supplemental Guide (English)](guides/wsl_user_guide_en.md)\n- [Windows / WSL2 Supplemental Guide (Japanese)](guides/wsl_user_guide_ja.md)\n\nIf you want the security model and design details:\n\n- [Security Design (English)](guides/security_design_en.md)\n- [Security Design (Japanese)](guides/security_design_ja.md)\n\n## Status\n\nThis project is currently in beta. During the beta stage, external specifications such as file formats are kept fixed unless a significant problem requires changing them, and the remaining work toward the stable release focuses on bug fixes and UI refinements.\n\n## License\n\nApache-2.0. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Febisawa%2Fkapsaro","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Febisawa%2Fkapsaro","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Febisawa%2Fkapsaro/lists"}