varlock v1.6.0

• #577 (minor) - - Add caching system: cache() resolver, plugin cache API, encrypted JSON store (file mode 0600), varlock cache CLI with TTY-aware browser and --yes confirm for clear.
  • Cache TTLs use the shared duration format; "forever" caches until manually cleared (the default for cache()), setting a plugin's cacheTtl to false (or an empty string) disables caching, and a TTL of 0 is rejected as ambiguous.
  • Cached values are individually encrypted and bound to their cache key, so entries cannot be swapped or replayed within the cache file.
  • --clear-cache always clears the persistent disk cache, including when combined with --skip-cache; @cache=disk warns when used in CI or with the file-based encryption fallback.
  • Add random value generators backed by node:crypto: randomNum() (integer by default, float when precision is set), randomUuid(), randomHex() (string-length by default, bytes=true for byte-length), randomString() (uses rejection sampling for unbiased output across any charset).
  • Add duration data type: accepts flexible string/number input ("1h", "30m", "500ms", 2000, "2days") and coerces to a number in a configurable output unit (ms default; seconds, minutes, hours, days, weeks). Only plain decimal number formats are accepted, and sub-millisecond durations are rejected. Same parser is used by cache(..., ttl=...) and the plugin cacheTtl option.
  • When _VARLOCK_CACHE_KEY is set (e.g. as a CI secret; same format as _VARLOCK_ENV_KEY, but a separate var since that one can be ephemeral), auto cache mode uses a disk cache encrypted with that key instead of falling back to memory — enabling shared caching across CI processes without the key ever touching disk. Each key gets its own cache file, named by key fingerprint.
  • @cache can be set dynamically with functions (e.g. @cache=forEnv(dev, "disk")); invalid resolved values surface as schema errors.
  • Plaintext is passed to the native encryption binary via stdin instead of argv so it never appears in process listings (the macOS enclave binary gained --data-stdin support); debug logging no longer includes encrypt/decrypt payloads.
  • Plugin opt-in caching via cacheTtl is documented per plugin — see the plugin packages' own changelogs.
• #768 (patch) - fix: only warn about file-based encryption fallback when encryption is actually used, not on every load
• #756 (patch) - Preserve process.env override provenance across nested invocations so varlock run-injected resolved values are no longer treated as true overrides by inner varlock loads.
  Only real upstream overrides now propagate through nesting, while inner command-local overrides still win as expected.
  Also fixes smoke-test CLI resolution to use the workspace-local varlock CLI instead of any globally installed binary.
  Note: __VARLOCK_ENV now includes override provenance metadata (__varlockOverrideMeta). Tooling that strictly validates that blob shape should allow unknown/new fields.
• #757 (patch) Thanks @yinjs! - fix: treat whitespace-only lines as blank lines instead of throwing a parse error

Published to

• ✅ npm

@varlock/proton-pass-plugin v1.0.2

• #759 (patch) - Reduce extra Proton Pass auth prompts by removing preflight info checks and using auth-retry reads.

Published to

• ✅ npm

@varlock/passbolt-plugin v1.1.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm

@varlock/keeper-plugin v1.1.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm

@varlock/infisical-plugin v1.2.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm

@varlock/hashicorp-vault-plugin v1.2.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm

@varlock/google-secret-manager-plugin v1.2.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm

@varlock/doppler-plugin v1.1.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm

@varlock/cloudflare-integration v1.1.6

• #743 (patch) - fix(cloudflare): harden varlock-wrangler FIFO server against CI races
  The FIFO server child process now signals readiness on a dedicated
  control pipe (fd 3) before the parent spawns downstream consumers
  (wrangler), eliminating a race where wrangler could open the FIFO
  before the child had buffered content and called the first
  writeFileSync to open the FIFO for write — observed in Linux/Docker
  CI environments as The contents of "/tmp/varlock-secrets-..." is not valid.
  Also:
  • Forward child stderr to the parent so write failures are no longer
    swallowed by a silent process.exit().
  • Surface child write errors with iteration number and error code via
    the control pipe.
  • Fix UTF-8 corruption that could occur when stdin chunks split a
    multi-byte character (use Buffer.concat instead of string +=).

Published to

• ✅ npm

@varlock/bitwarden-plugin v1.1.0

• #577 (minor) - Add opt-in disk caching via the cacheTtl init param (e.g. cacheTtl="1h", cacheTtl=forever; setting it to false or an empty string disables caching). Cache keys include a hash of the account-identifying instance config (account, region, project, environment, etc.) so projects pointing the same plugin at different backends can never read each other's cached values from the shared per-user cache.
  Akeyless caches static secret values only — dynamic and rotated secrets are designed to change per fetch and are never cached.

Published to

• ✅ npm