release: v0.5.7 run/materialize sealed-source support

Author: aheissenberger

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v0.5.7] - 2026-03-16
+
+### Added
+- Extend runtime rule source selection to `[[materialize.rule]]` and `[[run.rule]]` with `source = "store" | "sealed"`
+- Add sealed-source loading parity for `gitvault materialize` (config-selected repository files with sealed values)
+
+### Changed
+- Update CLI reference documentation with source-selector semantics and examples for `run` and `materialize`
+- Add and activate REQ-119 spec coverage for run/materialize sealed-source runtime behavior
+
 ## [v0.5.4] - 2026-03-05
 
 ### Changed
@@ -161,7 +171,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Streamlined release verification flow
 
-[Unreleased]: https://github.com/aheissenberger/gitvault/compare/v0.5.4...HEAD
+[Unreleased]: https://github.com/aheissenberger/gitvault/compare/v0.5.7...HEAD
+[v0.5.7]: https://github.com/aheissenberger/gitvault/compare/v0.5.6...v0.5.7
+[v0.5.6]: https://github.com/aheissenberger/gitvault/compare/v0.5.4...v0.5.6
 [v0.5.4]: https://github.com/aheissenberger/gitvault/compare/v0.5.3...v0.5.4
 [v0.5.3]: https://github.com/aheissenberger/gitvault/compare/v0.5.2...v0.5.3
 [v0.5.2]: https://github.com/aheissenberger/gitvault/compare/v0.5.1...v0.5.2

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "gitvault"
-version = "0.5.6"
+version = "0.5.7"
 authors = ["Andreas Heissenberger"]
 repository = "https://github.com/aheissenberger/gitvault"
 homepage = "https://github.com/aheissenberger/gitvault"

Cargo.toml

@@ -61,6 +61,7 @@ For CI/CD workflows, gitvault provides two runtime patterns:
 Rule of thumb:
 - Prefer `run` by default in CI.
 - Use `materialize` only for file-bound steps (for example, migrations expecting `.env`).
+- Both commands can load from encrypted store artifacts and selected sealed repository files using `[[run.rule]]` / `[[materialize.rule]]` with `source = "sealed"`.
 
 See full CI/CD recipes (GitHub Actions, Docker, Kubernetes): [docs/cicd-recipes.md](docs/cicd-recipes.md)
 

README.md

@@ -294,6 +294,8 @@ Behavior:
 - Decrypts store files for the selected environment and writes merged values to
   `[materialize].output_filename` (default: `.env`).
 - Supports multi-format store sources (`.env.age`, `.json.age`, `.yaml/.yml.age`, `.toml.age`).
+- `[[materialize.rule]]` can also select sealed repository files with `source = "sealed"`.
+- For sealed sources, `path` is matched against repository-relative working-tree paths.
 - Fails if decryption fails or secret content is invalid for its detected format.
 
 Examples:
@@ -364,6 +366,8 @@ Behavior:
 - Decrypts secrets for the selected environment and injects them into the child process env.
 - Does not write plaintext files to disk.
 - Uses the same multi-format store parsing as `materialize`.
+- `[[run.rule]]` can also select sealed repository files with `source = "sealed"`.
+- For sealed sources, `path` is matched against repository-relative working-tree paths.
 
 Examples:
 
@@ -569,13 +573,17 @@ Matcher rules are defined as array-of-table entries with `action`, `path`, and o
 | `action` | string | `allow` or `deny` |
 | `path` | string | Repo-relative glob path to match |
 | `keys` | array of strings | Optional key globs (applies to `allow` rules) |
+| `source` | string | Optional (`materialize`/`run` rules): `store` (default) or `sealed` |
 | `dir_prefix` | bool | Optional (`materialize`/`run` rules): include directory components as key prefix |
 | `path_prefix` | bool | Optional (`materialize`/`run` rules): include filename stem as key prefix |
 | `custom_prefix` | string | Optional (`materialize`/`run` rules): append custom token before key |
 
 Notes:
 - Rules are evaluated in file order; later matches override earlier matches.
 - `keys` filters emitted key/value pairs for matching files.
+- `source` defaults to `store` when omitted.
+- `source = "store"` matches `.gitvault/store/<env>/**/*.age` inputs.
+- `source = "sealed"` matches repository-relative working-tree files (`.env`, `.env.<suffix>`, `<name>.env`, `.json`, `.yaml`, `.yml`, `.toml`; `.envrc` excluded).
 - Runtime commands support global prefix defaults via `[materialize]` and `[run]` keys: `dir_prefix` and `path_prefix`.
 - Prefix order is deterministic: `<DIR_PREFIX>_<FILENAME_PREFIX>_<CUSTOM_PREFIX>_<KEY>` (missing parts are skipped).
 - Unknown keys in rule entries fail config parsing.
@@ -631,13 +639,26 @@ path = "conf/public.json"
 
 [[materialize.rule]]
 action = "allow"
+source = "sealed"
+path = "services/web/.env.local"
+custom_prefix = "MAT"
+
+[[materialize.rule]]
+action = "allow"
+source = "store"
 path = ".gitvault/store/dev/*.env.age"
 dir_prefix = true
 path_prefix = true
-custom_prefix = "APP"
 
 [[run.rule]]
 action = "allow"
+source = "sealed"
+path = "services/api/.env.local"
+keys = ["DATABASE_URL", "API_*"]
+
+[[run.rule]]
+action = "allow"
+source = "store"
 path = ".gitvault/store/dev/conf/*.json.age"
 keys = ["DATABASE_*", "REDIS_*"]
 dir_prefix = false
@@ -696,15 +717,28 @@ path = "config/test-*.json"
 
 [[materialize.rule]]
 action = "allow"
-path = ".gitvault/store/dev/*.env.age"
+source = "sealed"
+path = "services/web/.env.local"
 custom_prefix = "MAT"
 
+[[materialize.rule]]
+action = "allow"
+source = "store"
+path = ".gitvault/store/dev/*.env.age"
+
 [run]
 dir_prefix = false
 path_prefix = true
 
 [[run.rule]]
 action = "allow"
+source = "sealed"
+path = "services/api/.env.local"
+keys = ["DATABASE_URL", "API_*"]
+
+[[run.rule]]
+action = "allow"
+source = "store"
 path = ".gitvault/store/dev/conf/*.json.age"
 keys = ["DATABASE_*", "REDIS_*"]
 

docs/reference.md

@@ -94,6 +94,7 @@ This index is the canonical source for requirement-to-spec traceability.
 ## Engineering NFR Specs (Additive)
 - `2026-03-04-engineering-nfr/req-110.md` -> REQ-110: Auto-discover encrypted fields in structured files (decrypt without --fields) [status: implemented]
 - `2026-03-04-engineering-nfr/req-111.md` -> REQ-111: Encrypt all string fields without explicit listing (--all-fields flag) [status: **superseded by REQ-112**]
+- `2026-03-04-engineering-nfr/req-119.md` -> REQ-119: `gitvault run`/`materialize` support config-referenced sealed-source files [status: active]
 
 ## Breaking Change Specs
 - `2026-03-04-engineering-nfr/req-112.md` -> REQ-112: `seal` and `unseal` — In-place field-level encryption commands (supersedes REQ-111; replaces encrypt --fields, --value-only; replaces decrypt --fields, --value-only) [status: done]

specs/2026-03-01-safesecrets/00-requirements-index.md

@@ -79,6 +79,13 @@ Multiple command surfaces currently evaluate path and key matching with partiall
 
 Prior schema also relied on seal-specific keys that do not generalize well to run/materialize behavior.
 
+## Update Note (2026-03-16)
+
+REQ-119 extends runtime source selection for `[[run.rule]]` and
+`[[materialize.rule]]` with an additive optional `source` discriminator (`store` or
+`sealed`) while preserving REQ-118's unified
+matcher model, deterministic rule evaluation, and strict parse validation.
+
 ## Decision
 
 Introduce one structured TOML rule model per command namespace:

specs/2026-03-04-engineering-nfr/req-118.md

@@ -0,0 +1,150 @@
+---
+id: "S-20260316-R119"
+title: "REQ-119: gitvault run/materialize support config-referenced sealed-source files"
+status: "active"
+owners: ["@aheissenberger"]
+mode: ["cli"]
+platforms: ["Linux", "macOS", "Windows"]
+scope:
+  repoAreas: ["src/**", "docs/**", "specs/**"]
+  touch:
+    - "src/config.rs"
+    - "src/repo/paths.rs"
+    - "src/commands/effects.rs"
+    - "src/commands/materialize.rs"
+    - "src/commands/run_cmd.rs"
+    - "src/structured/fields.rs"
+    - "src/structured/env_values.rs"
+    - "docs/reference.md"
+    - "README.md"
+    - "specs/2026-03-04-engineering-nfr/req-118.md"
+  avoid: ["target/**"]
+breaking: false
+supersedes: []
+acceptance:
+  - id: "AC1"
+    text: "`gitvault run` and `gitvault materialize` support two input source classes selected by unified runtime rules: (a) existing store artifacts under `.gitvault/store/<env>/**/*.age`, and (b) repository files containing sealed values. Both classes may be used in the same execution."
+  - id: "AC2"
+    text: "`[[run.rule]]` and `[[materialize.rule]]` are extended with optional `source = \"store\" | \"sealed\"`. Omitted `source` defaults to `store` for backward compatibility. Unknown `source` values fail config parsing with a usage error."
+  - id: "AC3"
+    text: "For `source = \"sealed\"`, `path` is matched against repository-relative working-tree paths (not store paths). Supported file formats are the same sealed formats as REQ-112: `.env`, `.env.<suffix>`, `<name>.env`, `.json`, `.yaml`, `.yml`, `.toml` (excluding `.envrc`)."
+  - id: "AC4"
+    text: "When a selected sealed-source file contains a mix of plaintext and sealed values, `gitvault run` and `gitvault materialize` emit final plaintext key/value pairs for both: plaintext values pass through unchanged; sealed values are decrypted in memory before flattening/export."
+  - id: "AC5"
+    text: "For `gitvault run`, `source = \"sealed\"` never writes plaintext files. Decryption, parsing, and flattening happen in memory only. REQ-21 and REQ-22 fileless guarantees remain unchanged."
+  - id: "AC6"
+    text: "Runtime `keys` filters and runtime prefix controls (`dir_prefix`, `path_prefix`, `custom_prefix`) continue to apply for both source classes in `run` and `materialize` using REQ-118 matcher semantics and deterministic prefix composition order."
+  - id: "AC7"
+    text: "Rule precedence remains REQ-118 compliant (file order, later match wins). For key collisions after flattening/prefixing, merge order is deterministic and documented: later processed entries override earlier entries; processing order is stable across repeated executions with identical inputs."
+  - id: "AC8"
+    text: "If a selected sealed-source file cannot be parsed, contains unsupported format, or contains an undecryptable sealed token, `gitvault run` and `gitvault materialize` fail closed with a non-zero exit and an actionable error that includes the file path context."
+  - id: "AC9"
+    text: "Existing run/materialize behavior for store sources is preserved unless `source = \"sealed\"` is explicitly configured. Existing configs that do not use the new field remain valid and behaviorally unchanged."
+  - id: "AC10"
+    text: "Tests cover: mixed plaintext+sealed `.env`; sealed JSON/YAML/TOML flattening; combined store+sealed sources in one run/materialize execution; deterministic collision handling; clear-env/keep-vars unchanged; fail-closed errors for bad sealed payloads and unsupported sealed-source files."
+verification:
+  commands:
+    - "cargo fmt --all -- --check"
+    - "cargo clippy --all-targets --workspace -- -D warnings"
+    - "cargo test --all"
+    - "cargo xtask spec-verify"
+risk:
+  level: "medium"
+links:
+  related: "S-20260301-006"
+  related2: "S-20260304-R112"
+  related3: "S-20260305-R118"
+  issue: ""
+  pr: ""
+---
+
+# REQ-119: `gitvault run`/`materialize` support config-referenced sealed-source files
+
+## Context
+
+Current runtime loading is centered on decrypting store artifacts. Teams also keep
+repository files with in-place sealed values and want to reference those files from
+runtime configuration without introducing intermediate plaintext files.
+
+REQ-118 already defines the unified rule engine and runtime key-prefix behavior.
+REQ-119 extends that model so runtime source selection can include sealed working-tree
+files for `run` and `materialize` while keeping each command's security guarantees.
+
+## Goal
+
+Allow `gitvault run` and `gitvault materialize` to load values from both store
+artifacts and sealed repository files through unified runtime rule configuration,
+including files that contain a
+mix of plaintext and sealed values.
+
+## Non-goals
+
+- No new CLI subcommand for source selection.
+- No reintroduction of legacy matcher schemas.
+- No plaintext materialization to disk.
+- No change to seal/unseal command semantics.
+- No change to the materialize output contract (`.env` generation remains explicit materialization behavior).
+
+## Constraints
+
+- Keep REQ-118 as the governing rule model; extend it additively.
+- Maintain deterministic merge behavior and strict config parsing.
+- Preserve existing store-only run/materialize behavior by default.
+
+## Decision
+
+Extend `[[run.rule]]` and `[[materialize.rule]]` with optional `source`:
+
+```toml
+[[run.rule]]
+action = "allow"
+source = "sealed"
+path = "services/api/.env.local"
+keys = ["DATABASE_URL", "API_*"]
+
+[[run.rule]]
+action = "allow"
+source = "store"
+path = ".gitvault/store/prod/services/api/runtime.json.age"
+path_prefix = true
+custom_prefix = "RUNTIME"
+
+[[materialize.rule]]
+action = "allow"
+source = "sealed"
+path = "services/web/.env.local"
+path_prefix = true
+custom_prefix = "MAT"
+```
+
+When `source` is omitted, behavior is identical to existing store-source behavior.
+
+## Requirement Coverage
+
+- REQ-119.
+
+## Conflict Analysis
+
+| Existing requirement | Potential conflict | Resolution |
+|---|---|---|
+| REQ-21/22 (fileless run) | run sealed-source loading could imply temp files | Explicitly disallow file writes in AC5 |
+| REQ-112 (seal semantics) | runtime could redefine sealed format behavior | Reuse REQ-112 sealed formats and token handling rules |
+| REQ-118 AC2 (runtime rule keys) | schema extension might contradict strict keys | Extend AC2 additively with optional `source`; keep strict validation |
+| REQ-118 AC7 (order) | two source classes add merge ambiguity | AC7 defines deterministic collision precedence |
+
+No requirement is superseded by REQ-119. This is an additive extension.
+
+## Acceptance Criteria
+
+See frontmatter acceptance list (AC1-AC10).
+
+## Test Plan
+
+- Unit tests for run/materialize rule parsing with `source` defaulting and validation.
+- Integration tests covering mixed store+sealed runtime loading and error paths.
+- Regression tests to prove unchanged behavior for legacy configs without `source`.
+
+## Notes
+
+This requirement intentionally keeps policy expression inside the existing unified
+rule engine instead of introducing command flags or parallel config sections.

specs/2026-03-04-engineering-nfr/req-119.md

@@ -165,14 +165,24 @@ impl EffectRunner for DefaultRunner {
                 self.materialize_path_prefix,
             ),
         };
-        crate::repo::decrypt_env_secrets_with_rules(
-            repo_root,
-            env,
-            identity,
-            rules,
-            dir_prefix,
-            path_prefix,
-        )
+        match scope {
+            SecretRuleScope::Run => crate::repo::decrypt_runtime_secrets_with_rules(
+                repo_root,
+                env,
+                identity,
+                rules,
+                dir_prefix,
+                path_prefix,
+            ),
+            SecretRuleScope::Materialize => crate::repo::decrypt_runtime_secrets_with_rules(
+                repo_root,
+                env,
+                identity,
+                rules,
+                dir_prefix,
+                path_prefix,
+            ),
+        }
     }
 
     fn run_command(

src/commands/effects.rs

@@ -95,4 +95,44 @@ mod tests {
         };
         assert!(msg.contains("Failed to decrypt"));
     }
+
+    #[test]
+    fn test_cmd_materialize_loads_sealed_source_from_materialize_rule() {
+        let _lock = global_test_lock().lock().unwrap();
+        let dir = TempDir::new().unwrap();
+        init_git_repo(dir.path());
+        let _cwd = CwdGuard::enter(dir.path());
+        let (identity_file, identity) = setup_identity_file();
+
+        let config_dir = dir.path().join(".gitvault");
+        std::fs::create_dir_all(&config_dir).unwrap();
+        std::fs::write(
+            config_dir.join("config.toml"),
+            "[materialize]\n[[materialize.rule]]\naction = \"allow\"\nsource = \"sealed\"\npath = \"services/web/.env.local\"\n",
+        )
+        .unwrap();
+
+        let sealed_src = dir.path().join("services/web/.env.local");
+        std::fs::create_dir_all(sealed_src.parent().unwrap()).unwrap();
+        let recipients = vec![identity.to_public().to_string()];
+        let fields = vec!["SECRET".to_string()];
+        let sealed = crate::commands::seal::seal_content(
+            "PLAIN=visible\nSECRET=hidden\n",
+            "env",
+            Some(&fields),
+            &recipients,
+        )
+        .expect("sealing test input should succeed");
+        std::fs::write(&sealed_src, sealed).unwrap();
+
+        with_identity_env(identity_file.path(), || {
+            cmd_materialize(None, None, false, false, true, None)
+                .expect("materialize should include configured sealed source values");
+        });
+
+        let materialized =
+            std::fs::read_to_string(dir.path().join(".env")).expect(".env should be created");
+        assert!(materialized.contains("PLAIN=\"visible\""));
+        assert!(materialized.contains("SECRET=\"hidden\""));
+    }
 }