CLI Changelog

Changes specific to the CLI (envilder npm package).

For SDK-specific changes, see sdk-dotnet.md, sdk-python.md, or sdk-nodejs.md.

v0.10.02026-05-03

Added

• Map-file JSON Schema — A formal JSON Schema specification for map files, published at https://envilder.com/schema/map-file.v1.json. Add

for IDE autocomplete, inline documentation, and validation

(#218)

• Schema contract tests — 39 tests validating the JSON Schema across all providers (AWS, Azure, GCP, HashiCorp Vault, file)

Fixed

• Reserved key filtering — All $-prefixed keys (e.g. $schema) are now excluded from variable mappings. Previously only $config was filtered,

(#218)

v0.9.42026-05-03

Fixed

• Mask secret path in bulk push log output (#185)

v0.9.32026-04-17

Added

• Runtime SDKs now available — Load secrets directly into your application at startup, no .env file needed:

.NET (NuGet):

builder.Configuration.AddEnvilder("envilder.json");

Python (PyPI):

from envilder import Envilder
Envilder.load('envilder.json')

CLI (as always):

npx envilder --map=envilder.json --envfile=.env

GitHub Action:

- uses: macalbert/envilder/github-action@v0
  with:
    map-file: envilder.json
    env-file: .env

Changed

• README rewritten — Streamlined messaging, accurate comparison tables, simplified quick start (2 steps), and reduced noise

Fixed

• ci(publish-npm): Narrowed paths filter from src/<strong> to src/envilder/</strong> so SDK/website/IaC changes no longer trigger the

• ci(publish-npm): Replaced npm view with curl against the npm registry API to avoid .npmrc auth failures during version detection
• ci(publish-website): Added docs/CHANGELOG.md and docs/changelogs/** to path filters so changelog updates trigger

Dependencies

• Bump typescript from 6.0.2 to 6.0.3

v0.9.22026-04-02

Added

• LocalStack sponsor section — Added sponsor section to website homepage and README with LocalStack logos (dark, light, color variants) and a new Sponsors.astro component

• Website test suite — Added tests/website/ with Vitest coverage for i18n utilities and Markdown helpers
• BackToTop component — New scroll-to-top button component for the documentation website

Changed

• Project layout restructured for SDK platform readiness (#134):
• Core domain layer moved from src/envilder/ to src/envilder/core/
• Website moved from src/apps/website/ to src/website/
• All imports, tsconfig.json, package.json, and workspace config updated accordingly
• Website UX improvements — DocsContent, HowItWorks, ThemeSwitcher, TerminalMockup, and BaseLayout components updated; global CSS expanded; i18n keys added for new content

Fixed

• README: Replace #gh-light-mode-only / #gh-dark-mode-only image fragments with a <picture> element using prefers-color-scheme media queries
• ci: Update version check in publish workflow to use published version from npm

Dependencies

• Bump @aws-sdk/client-ssm from 3.1019.0 to 3.1021.0 (#140)
• Bump @aws-sdk/credential-providers from 3.1019.0 to 3.1021.0 (#142)
• Bump secretlint from 11.4.0 to 11.4.1 (#141)
• Bump @secretlint/secretlint-rule-preset-recommend from 11.4.0 to 11.4.1 (#144)
• Bump astro from 6.1.1 to 6.1.2 (#143)
• Bump actions/configure-pages from 5 to 6 (#139)
• Bump actions/deploy-pages from 4 to 5 (#138)
• Bump pnpm/action-setup from 4 to 5 (#137)

v0.9.12026-03-30

Added

• Documentation website — Full Astro-based docs site deployed at envilder.com, with multi-language support (EN, ES, CA), dark/retro and light themes, and a dedicated changelog page

Changed

• Updated Envilder logo in README

Fixed

• deps: Move @types/node from dependencies to devDependencies to prevent it from being bundled as a runtime dependency
• e2e: Use unique SSM paths per CLI test run to prevent race conditions between parallel test executions

Dependencies

• Bump brace-expansion from 5.0.4 to 5.0.5 (security patch)
• Bump @azure/core-rest-pipeline and @azure/identity group updates

v0.8.02026-03-22

Added

• $config section in map files — Map files now support an optional $config key to declare provider and connection details inline (e.g., "provider": "azure", "vaultUrl": "https://...",

• New CLI flag --vault-url <url> — Azure Key Vault URL, overrides $config.vaultUrl in the map file
• Precedence chain: CLI flags > $config in map file > defaults
• Backward compatible: existing map files without $config continue to work (defaults to AWS provider)
• Azure Key Vault support — Use --provider=azure to pull/push secrets from Azure Key Vault (#90)
• New infrastructure adapter: AzureKeyVaultSecretProvider implementing ISecretProvider
• New CLI option --provider <name> to select cloud provider (aws or azure, default: aws)
• Azure authentication via DefaultAzureCredential (supports Azure CLI, managed identity, etc.)

Changed

• CLI flag --ssm-path renamed to --secret-path — The old flag is still accepted as a deprecated alias and prints a warning. It will be removed in a future release.
• configureInfrastructureServices() now receives a single MapFileConfig object instead of separate parameters
• CLI reads $config from the map file and merges with CLI flags
• Extracted shared ContainerConfiguration module for DI setup reused by CLI and GitHub Action
• Updated CLI description to include Azure Key Vault examples

Dependencies

• Added @azure/keyvault-secrets
• Added @azure/identity
• Added @azure/core-rest-pipeline

v0.7.122026-03-22

Fixed

• ssm: Upgrade AWS SDK to resolve fast-xml-parser CVEs (#128)

Changed

• ci: Upgrade dorny/test-reporter to v3 for Node.js 24 support (#127)
• dx: Add AI workflow agents, prompts, and lefthook pre-commit hook (#125)

Dependencies

• Bump undici from 7.22.0 to 7.24.1 (#126)

v0.7.112026-03-08

Security

• Bump AWS SDK packages to resolve fast-xml-parser vulnerability (#124)

v0.7.102026-03-02

Changed

• ci: Update CI configuration for improved build reliability
• Bump AWS SDK SSM to 3.1000.0 and align CI/publish workflows (#123)

Dependencies

• Bump @aws-sdk/credential-providers from 3.995.0 to 3.1000.0 (#122)
• Bump @types/node from 25.3.0 to 25.3.3 (#121)
• Bump minimatch (#119)

v0.7.92026-02-22

Fixed

• security: Patch transitive dependency vulnerabilities (#118)
• ci: Simplify npm publish command in workflow

v0.7.82026-02-05

Fixed

• deps: Upgrade AWS SDK to resolve fast-xml-parser DoS vulnerability (#116)

Dependencies

• Bump @isaacs/brace-expansion (#115)
• Bump @secretlint/secretlint-rule-preset-recommend (#114)
• Bump commander from 14.0.2 to 14.0.3 (#113)
• Bump @aws-sdk/client-ssm from 3.958.0 to 3.980.0 (#112)
• Bump secretlint from 11.2.5 to 11.3.1 (#110)
• Bump @commitlint/cli from 20.3.0 to 20.4.0 (#111)

v0.7.72026-01-27

Added

• push: AWS throttling retry logic and duplicate SSM path validation (#109)

Fixed

• ci: Streamline npm publish workflow to prevent failures (#106)

Dependencies

• Bump lodash (#108)
• Bump diff (#107)

v0.7.62026-01-16

Fixed

• ci: Align npm publish script with CI workflow expectations to prevent failures
• Removed redundant validation steps (lint, build, test) from publish script

Changed

• Simplified npm publish script from full validation pipeline to npm pack --dry-run && npm publish
• Updated README badge links
• Converted README badges from HTML to standard Markdown format

Removed

• ci: Deleted deprecated publish-action.yml workflow

v0.7.52026-01-15

Documentation

• Remove changelog generation instructions from documentation (#104)

Dependencies

• Bump undici to address security vulnerability (#105)

v0.7.42026-01-02

Dependencies

• Bump @commitlint/cli from 20.1.0 to 20.2.0 (#103)
• Bump testcontainers from 11.9.0 to 11.11.0 (#102)
• Bump @types/node from 24.10.1 to 25.0.3 (#101)
• Bump @testcontainers/localstack from 11.9.0 to 11.11.0 (#100)
• Bump @commitlint/config-conventional (#99)

v0.7.32025-11-29

Changed

• ci: Update Node.js version to 24 in workflow
• Update publish command to use pnpm
• Add repository field to package.json
• Standardize quotes in publish-npm.yml

Dependencies

• Bump actions/checkout from 5 to 6 (#98)
• Bump glob from 11.1.0 to 13.0.0 (#97)
• Bump pnpm/action-setup from 2 to 4 (#92)
• Bump @commitlint/cli from 19.8.1 to 20.1.0 (#94)
• Bump glob in the npm_and_yarn group (#96)

v0.7.12025-11-16

Documentation

• Update README and ROADMAP for GitHub Action integration (#95)

Changed

• ci: Update workflow to use pnpm for dependency management

Tests

• Increase timeout for E2E tests to 60 seconds

v0.7.02025-11-16

Added

• packaging: Add project build and uninstall functionality

Fixed

• cli: Correct build command from ppnpm to pnpm

Changed

• Move GitHub Action to github-action/ subfolder

Breaking Changes

• Action path changed from macalbert/envilder@v1 to macalbert/envilder/github-action@v1

v0.6.62025-11-02

Changed

• Updated AWS credentials configuration in workflows
• Bumped vite, @types/node, @biomejs/biome, GitHub/codeql-action, actions/setup-node, vitest

v0.6.52025-10-15

Added

• Enabled npm trusted publishing with OIDC authentication

Dependencies

• Bumped tmp, @types/node, @testcontainers/localstack, testcontainers, @aws-sdk/credential-providers
• Bumped secretlint, @biomejs/biome, @secretlint/secretlint-rule-preset-recommend
• Bumped vite, commander, inversify
• Updated actions/checkout, actions/setup-node, actions/upload-pages-artifact, aws-actions/configure-aws-credentials

v0.6.42025-08-02

Dependencies

• Bumped typescript from 5.8.3 to 5.9.2
• Bumped secretlint, @types/glob, @secretlint/secretlint-rule-preset-recommend, @biomejs/biome

v0.6.32025-07-20

Changed

• Bump version to 0.6.3 in package.json

v0.6.22025-07-20

Changed

• di: Implement .NET-Style DIP Startup Pattern for dependency injection (#59)

v0.6.12025-07-13

Added

• Push Mode functionality to upload environment variables to AWS SSM Parameter Store
• File-based approach for pushing multiple variables from .env files
• Single-variable approach for direct command line uploads
• Support for working with different AWS profiles when pushing secrets

Security

• Implemented secure parameter handling to protect sensitive values

Changed

• Designed clean, modular command structure for Push Mode operations
• Added new domain models and handlers to support Push feature
• Maintained separation of concerns between infrastructure and application layers

v0.6.02025-07-13

Added

• push: Introduced Push Mode — sync local .env variables to AWS SSM Parameter Store (#57)

v0.5.62025-07-06

Added

• Introduced new logger interface for seamless integration of custom logging implementations

Changed

• Updated several packages for improved security and performance

v0.5.52025-06-29

Changed

• Moved EnvilderBuilder from domain to application/builders directory
• Updated import paths across codebase for better organization

Fixed

• Fixed glob pattern and path handling in test cleanup functions
• Corrected file path resolution in end-to-end tests

v0.5.42025-06-10

Added

• Added unit tests for error handling with missing CLI arguments
• Enhanced unit test reporting with JUnit format for better CI integration

Changed

• Refactored EnvFileManager and related interfaces to use async/await
• Improved error handling and modularized secret processing
• Extracted PackageJsonFinder class
• Updated dependencies for better reliability

v0.5.32025-06-07

Added

• Modular CLI for environment variable synchronization with pluggable secret providers
• Builder pattern for flexible CLI configuration and usage
• Extensive unit, integration, and end-to-end tests
• AWS integration testing using LocalStack with TestContainers

Changed

• BREAKING: Full TypeScript migration from JavaScript
• Introduced modular, layered architecture with clear separation
• Migrated CI/CD workflows from Yarn to npm

v0.5.22025-05-18

Added

• Comprehensive E2E validation test in CI/CD pipeline
• Ensures package integrity and command-line operability before release

v0.5.12025-05-16

Fixed

• CLI command not recognized after global install (npm install -g envilder)
• Fixed missing compiled lib/ files in published package

v0.4.02026-05-18

Changed

• BREAKING: Root namespace for public API — All consumer-facing types moved from Envilder.Application / Envilder.Domain to the root

• BREAKING: Facade class renamed to Env — The static facade class is now Env instead of Envilder to avoid namespace/class name collision.

• Extension methods follow .NET conventions — AddEnvilder() for IConfigurationBuilder moved to

AddEnvilder() for IServiceCollection moved to

Microsoft.Extensions.DependencyInjection namespace.

Both are now discoverable without any Envilder-specific using directives

Migration

Replace:

using Envilder.Application;
using Envilder.Domain;
using Envilder.Infrastructure.Configuration;
using Envilder.Infrastructure.DependencyInjection;

With:

using Envilder;

Replace facade calls:

// Before
Envilder.Load("envilder.json");
Envilder.FromMapFile("envilder.json").Inject();
// After
Env.Load("envilder.json");
Env.FromMapFile("envilder.json").Inject();

and Microsoft.Extensions.DependencyInjection — no Envilder-specific import needed.

ASP.NET projects already include these namespaces via global usings; console apps

may need to add them explicitly.

v0.3.02026-05-03

Added

• Map-file JSON Schema support — Map files can now include "$schema": "https://envilder.com/schema/map-file.v1.json" for IDE

Fixed

• Reserved key filtering — All $-prefixed keys are now excluded from variable mappings. Previously only $config was filtered

v0.2.02026-04-18

Added

• Static facade — Envilder class with one-liner API for resolving and injecting secrets
• ResolveFile(path) / ResolveFileAsync(path) — Resolve secrets from a map file
• Load(path) / LoadAsync(path) — Resolve and inject secrets into Environment
• ResolveFile(env, mapping) / Load(env, mapping) — Environment-routed overloads
• FromMapFile(path) — Fluent builder with .WithProvider(), .WithProfile(), .WithVaultUrl()
• EnvilderBuilder.Resolve() / ResolveAsync() / Inject() / InjectAsync() — Fluent terminal methods
• ISecretProvider.GetSecret(name) — Synchronous secret retrieval (new interface method)
• AwsSsmSecretProvider.GetSecret(name) — Sync AWS SSM implementation
• AzureKeyVaultSecretProvider.GetSecret(name) — Sync Azure Key Vault implementation
• EnvilderClient.ResolveSecrets(mapFile) — Sync secret resolution

Changed

• Simplify AddEnvilder extensions — IConfigurationBuilder.AddEnvilder() and IServiceCollection.AddEnvilder() now accept (string mapFilePath, EnvilderOptions? options)

(#167)

• Cross-provider validation — SecretProviderFactory now rejects invalid combinations: AWS profile with Azure provider, or Vault URL with AWS provider

Breaking

• SecretProviderFactory is now internal — External code that referenced this type directly will no longer compile. Use the Envilder facade, EnvilderBuilder

(#167)

• ISecretProvider.GetSecret(string name) — New required interface method. External implementations of ISecretProvider must add a synchronous GetSecret method

• ServiceCollectionExtensions.AddEnvilder(string, ISecretProvider) signature removed — Use AddEnvilder(string, EnvilderOptions?) instead
• ConfigurationBuilderExtensions.AddEnvilder(string, ISecretProvider) signature removed — Use AddEnvilder(string, EnvilderOptions?) instead

Fixed

• Delegate default AWS region resolution to the AWS SDK — When no profile is set, the factory no longer manually resolves the region via ResolveRegion(). Instead it creates a

(env vars → ~/.aws/config → instance metadata), correctly picking up the default config

file settings

(#166)

• Respect AWS_SHARED_CREDENTIALS_FILE for profile resolution — CredentialProfileStoreChain now receives the credentials file path from the AWS_SHARED_CREDENTIALS_FILE environment

(#166)

Testing

• Unit tests for facade validation, env routing, and fluent builder chaining
• Acceptance tests for ResolveFile and Load against LocalStack
• Sync GetSecret tests for AWS SSM and Azure Key Vault providers
• Sync ResolveSecrets test for EnvilderClient

v0.1.02026-04-09

Added

• Initial release — Runtime library for loading secrets from AWS SSM Parameter Store or Azure Key Vault directly into .NET applications (#147)
• EnvilderClient — Resolves secrets from a map-file and returns them as a dictionary
• MapFileParser — Parses envilder.json files with $config section and variable mappings
• SecretProviderFactory — Creates the appropriate secret provider based on configuration
• AwsSsmSecretProvider — Fetches secrets from AWS SSM Parameter Store
• AzureKeyVaultSecretProvider — Fetches secrets from Azure Key Vault
• IConfiguration extensions — Load secrets directly into .NET configuration
• IServiceCollection extensions — Register Envilder in the DI container
• EnvilderOptions — Runtime overrides for provider, vault URL, and AWS profile
• Targets .NET Standard 2.0 (compatible with .NET 6+, .NET Framework 4.6.1+)
• Published to NuGet as Envilder

Testing

• Unit tests with xUnit, NSubstitute, AwesomeAssertions, and AutoFixture
• Acceptance tests with TestContainers (LocalStack for AWS, Lowkey Vault for Azure)

v0.4.02026-05-03

Added

• Map-file JSON Schema support — Map files can now include "$schema": "https://envilder.com/schema/map-file.v1.json" for IDE

Fixed

• Reserved key filtering — All $-prefixed keys are now excluded from variable mappings. Previously only $config was filtered

v0.3.22026-04-18

Changed

• Encapsulate SecretProviderFactory — Renamed to _SecretProviderFactory and removed from public re-exports; consumers should use the Envilder facade instead of creating

(#167)

• Cross-provider validation — _SecretProviderFactory.create() now rejects invalid combinations: AWS profile with Azure provider, or vault URL with AWS provider

Fixed

• Delegate default AWS region resolution to boto3 — When no profile is set, the factory no longer manually resolves the region from environment variables. Instead it creates a plain

instance metadata), correctly picking up the default config file settings

(#166)

v0.3.12026-04-17

Fixed

• Remove mypy-boto3-ssm runtime dependency — AwsSsmSecretProvider imported mypy_boto3_ssm.SSMClient at runtime, but the package is a dev-only type stub.

botocore.client.BaseClient which is already bundled with boto3

(#165)

v0.3.02026-04-17

Added

• Environment-based loading — Envilder.load(env, env_mapping) and Envilder.resolve_file(env, env_mapping) accept a dictionary mapping environment names to

external branching logic (#163)

• Source validation — Empty or whitespace-only file paths in env_mapping now raise ValueError with a descriptive message including the environment key

v0.2.02026-04-16

Added

• Fluent API facade — Envilder high-level entry point with load(), resolve_file(), and from_map_file() methods, plus fluent override methods (with_provider(), with_vault_url(),

• Facade docstrings — All public methods on the Envilder facade now have docstrings with usage examples, improving IDE tooltips and help() output for external consumers

v0.1.02026-04-14

Added

• Initial release — Runtime library for loading secrets from AWS SSM Parameter Store or Azure Key Vault directly into Python applications

• Envilder facade — High-level entry point with load(), resolve_file(), and from_map_file() methods
• EnvilderClient — Resolves secrets from a map-file and injects them into os.environ
• MapFileParser — Parses envilder.json files with $config section and variable mappings
• SecretProviderFactory — Creates the appropriate secret provider based on configuration
• AwsSsmSecretProvider — Fetches secrets from AWS SSM Parameter Store via boto3
• AzureKeyVaultSecretProvider — Fetches secrets from Azure Key Vault
• EnvilderOptions — Runtime overrides for provider, vault URL, and AWS profile
• Synchronous API — no async/await, uses boto3 natively
• Protocol-based ports — Python Protocol instead of ABC
• Python 3.10+ with full type annotations (py.typed)
• Published to PyPI as envilder

Testing

• Unit tests with pytest using Should_<Expected>_When_<Condition> naming
• Acceptance tests with TestContainers (LocalStack for AWS, Lowkey Vault for Azure)

v0.2.02026-05-03

Added

• Map-file JSON Schema support — Map files can now include "$schema": "https://envilder.com/schema/map-file.v1.json" for IDE

Fixed

• Reserved key filtering — All $-prefixed keys are now excluded from variable mappings. Previously only $config was filtered

v0.1.12026-05-02

Documentation

• Add Node.js SDK references to root README, website, and installation guide

v0.1.02026-04-25

Added

• Initial release — Node.js runtime SDK for loading secrets directly into process.env from a map file. Supports AWS SSM Parameter Store and

• Envilder facade — load(), resolveFile(), fromMapFile() fluent builder for one-liner or fine-grained secret loading
• EnvilderClient — Core resolver with resolveSecrets() and injectIntoEnvironment() for custom provider usage
• MapFileParser — Parse $config section and variable mappings from JSON
• Secret validation — Opt-in validateSecrets() throws SecretValidationError for empty or missing values
• Environment-based routing — Load different secret files per environment (production, development, test)

v0.10.02026-05-03

Fixed

• Reserved key filtering — $schema and other $-prefixed keys no longer leak into environment variable mappings

Dependencies

• Bundle updated with latest CLI core (map-file schema support)

v0.9.42026-05-03

Fixed

• Rebuild stale dist and remove force-tracked build artifacts (#193)

Dependencies

• Bundle updated with latest CLI core (dependency bumps)

v0.9.32026-04-17

Changed

• Bundle updated with latest CLI core (runtime SDKs announcement, dependency bumps)

Fixed

• ci(publish-npm): Narrowed paths filter from src/<strong> to src/envilder/</strong> so SDK/website/IaC changes no longer trigger the

v0.9.22026-04-02

Changed

• Bundle updated with latest CLI core (Azure Key Vault, $config map-file support)

v0.8.02026-03-22

Added

• Azure Key Vault support — Use provider: azure input to pull secrets from Azure Key Vault
• New input vault-url — Azure Key Vault URL, overrides $config.vaultUrl in the map file
• New input provider — Select cloud provider (aws or azure, default: aws)
• $config section support in map files — declare provider and connection details inline

Changed

• Updated action.yml description and inputs to reflect multi-provider support
• Both CLI and GHA now use shared ContainerConfiguration module for DI setup

v0.7.12025-11-16

Documentation

• Update GitHub Action version from v1 to v0.7.1 in documentation
• Fix example version references

v0.7.02025-11-16

Added

• Initial GitHub Action release — Use Envilder in CI/CD workflows natively
• Pull secrets from AWS SSM Parameter Store into .env files during workflow runs
• End-to-end tests for GitHub Actions simulation

Changed

• Action moved to github-action/ subfolder

Breaking Changes

• Action path changed from macalbert/envilder@v1 to macalbert/envilder/github-action@v1