{"id":21659697,"url":"https://github.com/zifeo/lade","last_synced_at":"2026-02-18T10:06:44.683Z","repository":{"id":87275123,"uuid":"596329110","full_name":"zifeo/lade","owner":"zifeo","description":"Automatically load secrets from your preferred vault as environment variables or files, and clear them once your shell command is over.","archived":false,"fork":false,"pushed_at":"2026-02-01T17:57:57.000Z","size":385,"stargazers_count":111,"open_issues_count":6,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-02-09T03:27:42.786Z","etag":null,"topics":["1password","bash","doppler","environment-variables","fish","infisical","metatype","secret","vault","zsh"],"latest_commit_sha":null,"homepage":"https://metatype.dev/docs/reference/ecosystem?utm_source=github\u0026utm_medium=about\u0026utm_campaign=lade","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zifeo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-02-02T00:07:50.000Z","updated_at":"2026-02-02T16:40:15.000Z","dependencies_parsed_at":"2024-02-01T18:19:40.102Z","dependency_job_id":"af090e95-4338-4129-bd5e-cfde21c5add1","html_url":"https://github.com/zifeo/lade","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"purl":"pkg:github/zifeo/lade","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zifeo%2Flade","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zifeo%2Flade/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zifeo%2Flade/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zifeo%2Flade/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zifeo","download_url":"https://codeload.github.com/zifeo/lade/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zifeo%2Flade/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29575376,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T08:38:15.585Z","status":"ssl_error","status_checked_at":"2026-02-18T08:38:14.917Z","response_time":162,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["1password","bash","doppler","environment-variables","fish","infisical","metatype","secret","vault","zsh"],"created_at":"2024-11-25T09:31:24.027Z","updated_at":"2026-02-18T10:06:44.678Z","avatar_url":"https://github.com/zifeo.png","language":"Rust","readme":"# Lade\n\n![Crates.io](https://img.shields.io/crates/v/lade)\n\nLade (/leɪd/) is a tool allowing you to automatically load secrets from your\npreferred vault into environment variables or files. It limits the exposure of\nsecrets to the time the command requiring the secrets lives.\n\n![Demo](./examples/demo.gif)\n\n\u003e Lade is part of the\n\u003e [Metatype ecosystem](https://github.com/metatypedev/metatype). Consider\n\u003e checking out how this component integrates with the whole ecosystem and browse\n\u003e the\n\u003e [documentation](https://metatype.dev?utm_source=github\u0026utm_medium=readme\u0026utm_campaign=lade)\n\u003e to see more examples.\n\n## Getting started\n\nYou can download the binary executable from\n[releases page](https://github.com/zifeo/whiz/releases/) on GitHub, make it\nexecutable and add it to your `$PATH` or use the method below to automate those\nsteps.\n\n```bash\n# recommended way\ncurl -fsSL https://raw.githubusercontent.com/zifeo/lade/main/installer.sh | bash\n\n# or alternative ways via cargo\ncargo install lade --locked\ncargo install --git https://github.com/zifeo/lade --locked\n\n# upgrade\nlade upgrade\n\n# install shell hooks (only required once)\nlade install\n```\n\nCompatible shells: [Fish](https://fishshell.com),\n[Bash](https://www.gnu.org/software/bash/), [Zsh](https://zsh.sourceforge.io)\n\nCompatible vaults: [Infisical](https://infisical.com),\n[1Password CLI](https://1password.com/downloads/command-line/),\n[Doppler](https://www.doppler.com), [Vault](https://github.com/hashicorp/vault)\n\n## Usage\n\nLade will run before and after any command you run in your shell thanks to\ncommand hooks installed by `lade install`. On each run, it will recursively look\nfor `lade.yml` files in the current directory and its parents. It will then\naggregate any secrets matching the command you are running using a regex and\nload them into environment variables or files for the time of the run.\n\n```bash\ncd examples/terraform\nterraform apply\n# example = \"hello world\"\n```\n\nSee [lade.yml](lade.yml) or the [examples](./examples) folders for other uses\ncases.\n\n### Manual injections\n\nIn case you prefer to decide when to load secrets, you can manually decide when\nto inject them using the `inject` command. Note that when running scripts or a\nnon-interactive shell session, there is no guarantee that the shell hooks will\nbe triggered. In that case, the `inject` command is the only way to load\nsecrets.\n\n```bash\ncd examples/terraform\nlade inject terraform apply\n```\n\n### Outputting as files\n\nBy default, Lade will load secrets into environment variables. You can write\nsecrets to a file instead by setting `file` inside the `.` configuration block.\nThe content format is determined by the file extension. Currently only YAML and\nJSON are supported.\n\n```yaml\ncommand regex:\n  .:\n    file: secrets.yml\n  SECRET: op://...\n```\n\n### Per-user secrets\n\nWhen different team members need different secret values for the same variable,\nspecify each user as a key. Lade resolves the current user automatically; use\n`\".\"` as a catch-all default for any user not explicitly listed (including when\nno user is set).\n\n```yaml\ncommand regex:\n  SAME_SECRET_FOR_EVERYONE: hello_world\n  SECRET_FOR_THE_USER:\n    alex: alex_secret\n    zifeo: zifeo_secret\n    .: default_secret # used when no matching user is found\n  SECRET_FOR_ZIFEO_ONLY:\n    zifeo: zifeo_secret\n    .: null # explicitly no value for other users\n```\n\nUse the `user` subcommand to control which user Lade resolves:\n\n```sh\nlade user              # show currently set user\nlade user tonystark    # set user to tonystark\nlade user --reset      # reset, falling back to the OS user\n```\n\n## Loaders\n\nMost of the vault loaders use their native CLI to operate. This means you must\nhave them installed locally and your login/credentials must be valid. Lade may\nevolve by integrating directly with the corresponding API, but this is left as\nfuture work.\n\n### Infisical loader\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: infisical://DOMAIN/PROJECT_ID/ENV_NAME/SECRET_NAME\n```\n\nFrequent domain(s): `app.infisical.com`.\n\nNote: the `/api` is automatically added to the DOMAIN. This source currently\nonly support a single domain (you cannot be logged into multiple ones).\n\n### 1Password loader\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: op://DOMAIN/VAULT_NAME/SECRET_NAME/FIELD_NAME\n```\n\nFrequent domain(s): `my.1password.eu`, `my.1password.com` or `my.1password.ca`.\n\nIn CI/CD `OP_SERVICE_ACCOUNT_TOKEN` is typically injected directly by the\nplatform. For cases where the token itself is stored in another vault, add\n`1password_service_account` to the `.` config block. Lade resolves that URI\nfirst — using any loader — and injects the result as `OP_SERVICE_ACCOUNT_TOKEN`\nbefore resolving the remaining `op://` secrets. This enables recursive\ncross-vault lookups: the token lives in Vault or Infisical, and the actual\nsecrets live in 1Password.\n\nPer-user mapping lets each developer or environment use a different source for\nthe token, or skip it entirely with `null` to fall back on their local `op` session.\n\n```yaml\ncommand regex:\n  .:\n    # simple: token stored in 1Password itself (requires an active op session)\n    1password_service_account: op://DOMAIN/VAULT/ITEM/FIELD\n    # or per-user: CI pulls token from Vault, others use their local op session\n    # 1password_service_account:\n    #   ci: vault://DOMAIN/MOUNT/KEY/FIELD\n  EXPORTED_ENV_VAR: op://...\n```\n\n### Doppler loader\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: doppler://DOMAIN/PROJECT_NAME/ENV_NAME/SECRET_NAME\n```\n\nFrequent domain(s): `api.doppler.com`.\n\n### Vault loader\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: vault://DOMAIN/MOUNT/KEY/FIELD\n```\n\n### Passbolt loader\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: passbolt://DOMAIN/RESOURCE_ID/FIELD\n```\n\n### File loader\n\nSupports INI, JSON, YAML and TOML files.\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: file://PATH?query=.fields[0].field\n```\n\n`PATH` can be relative to the lade directory, start with `~`/`$HOME` or absolute\n(not recommended when sharing the project with others as they likely have\ndifferent paths).\n\n### Raw loader\n\n```yaml\ncommand regex:\n  EXPORTED_ENV_VAR: \"value\"\n```\n\nEscaping a value with the `!` prefix enforces the use of the raw loader and\ndouble `!!` escapes itself.\n\n## Development\n\n```bash\neval \"$(lade off)\"\neval \"$(cargo run -- on)\"\necho a $A1 $A2 $B1 $B2 $B3 $C1 $C2 $C3\ncargo run -- -vvv set echo a\ncargo run -- inject echo a\neval \"$(cargo run -- off)\"\neval \"$(lade on)\"\n```\n","funding_links":[],"categories":["Secret Management","Rust"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzifeo%2Flade","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzifeo%2Flade","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzifeo%2Flade/lists"}