MCPcopy
hub / github.com/dmno-dev/varlock

github.com/dmno-dev/varlock @1.2.2 sqlite

repository ↗ · DeepWiki ↗ · release 1.2.2 ↗
1,831 symbols 5,418 edges 460 files 262 documented · 14%
README

Varlock banner

npm package license node compatibility build status discord chat

Varlock

AI-safe .env files: Schemas for agents, Secrets for humans.

  • 🤖 AI-safe config — agents read your schema, never your secrets
  • 🔍 proactive leak scanning via varlock scan + git hooks
  • 🔏 runtime protection — log redaction and leak prevention
  • 🛡️ validation, coercion, type safety w/ IntelliSense
  • 🌐 flexible multi-environment management — auto .env.* loading and explicit import
  • 🔌 plugins to pull data from various backends (1Password, Infisical, AWS, Azure, GCP, HCP Vault, more!)

Unlike .env.example, your .env.schema is a single source of truth, built for collaboration, that will never be out of sync.

# @defaultSensitive=false @defaultRequired=infer @currentEnv=$APP_ENV
# ---
# our environment flag, will control automatic loading of `.env.xxx` files
# @type=enum(development, preview, production, test)
APP_ENV=development # default value, can override

# @type=port
API_PORT=8080 # non-sensitive values can be set directly

# API url including _expansion_ referencing another env var
# @type=url
API_URL=http://localhost:${API_PORT}

# sensitive api key, with extra validation
# @required @sensitive @type=string(startsWith=sk-)
OPENAI_API_KEY=

Flexible plugin system: adds new decorators, functions, types - enables secure declarative secret loading.

# @plugin(@varlock/1password-plugin)
# @initOp(token=$OP_TOKEN, allowAppAuth=forEnv(dev), account=acmeco)
# ---

# @type=opServiceAccountToken @sensitive
OP_TOKEN=

# Fetch secrets using 1Password secret references
DB_PASS=op(op://my-vault/database-password/password)
API_KEY=op(op://api-vault/stripe/api-key)

Installation

You can get started with varlock by installing the CLI:

# Run the installation wizard, which will install as a dependency in a JavaScript project
npx varlock init

# Or install as standalone binary
brew install dmno-dev/tap/varlock # via homebrew
curl -sSfL https://varlock.dev/install.sh | sh -s # via cURL

# Or use the official Docker image
docker pull ghcr.io/dmno-dev/varlock:latest

See the full installation docs or the Docker guide for more information.

Workflow

Validate your .env.schema and pretty print your environment variables with:

varlock load

If you need to pass resolved env vars into another process, you can run:

varlock run -- python script.py

In many cases you can use our drop-in integrations for seamless experience - with additional security guardrails, like log redaction and leak prevention.

AI-Safe Config

Your .env.schema gives AI agents full context on your config — variable names, types, validation rules, descriptions — without ever exposing secret values. Combined with varlock scan to catch leaked secrets in AI-generated code, varlock is purpose-built for the AI era. Learn more in the AI-safe config guide.

@env-spec

Varlock is built on top of @env-spec, a new DSL for attaching a schema and additional functionality to .env files using JSDoc style comments. The @env-spec package contains a parser and info about the spec itself.

Published Packages

Core

Package Published listing page
varlock npm version
@env-spec/parser npm version
@env-spec VSCode extension VSCode Marketplace, Open VSX Registry
varlock Docker image GitHub Container Registry

Plugins

Package Published listing page
@varlock/1password-plugin npm version
@varlock/aws-secrets-plugin npm version
@varlock/azure-key-vault-plugin npm version
@varlock/bitwarden-plugin npm version
@varlock/google-secret-manager-plugin npm version
@varlock/hashicorp-vault-plugin npm version
@varlock/infisical-plugin npm version
@varlock/keepass-plugin npm version
@varlock/kubernetes-plugin npm version
@varlock/pass-plugin npm version
@varlock/passbolt-plugin npm version
@varlock/proton-pass-plugin npm version

Framework Integrations

Package Published listing page
@varlock/astro-integration npm version
@varlock/nextjs-integration npm version
@varlock/vite-integration npm version

MCP Servers

MCP Server Link URL
Varlock Docs (HTTP) Installation https://docs.mcp.varlock.dev/mcp
Varlock Docs (SSE) Installation https://docs.mcp.varlock.dev/sse

Examples

Examples of integrating varlock in various frameworks and situations can be found in the Varlock examples repo

Development & Contribution

See CONTRIBUTING.md for more information.

Extension points exported contracts — how you extend this code

ArgValue (Interface)
(no doc) [11 implementers]
packages/plugins/dashlane/src/dashlane-manager.ts
OidcTokenResult (Interface)
(no doc)
packages/utils/src/oidc-tokens.ts
RepoParts (Interface)
(no doc)
packages/ci-env-info/src/normalize.ts
ExecOptions (Interface)
(no doc)
packages/varlock/src/lib/exec.ts
BundleConfig (Interface)
(no doc)
packages/encryption-binary-swift/scripts/build-swift.ts
VarlockVitePluginOptions (Interface)
(no doc)
packages/integrations/vite/src/index.ts
WorksWithTile (Interface)
(no doc)
packages/varlock-website/src/lib/works-with-tiles.ts
Register (Interface)
(no doc)
framework-tests/frameworks/tanstack-start/files/routes/router.tsx

Core symbols most depended-on inside this repo

resolve
called by 258
packages/plugins/dashlane/src/dashlane-manager.ts
envFilesTest
called by 240
packages/varlock/src/env-graph/test/helpers/generic-test.ts
debug
called by 173
packages/varlock/src/runtime/lib/debug.ts
toString
called by 138
packages/env-spec-parser/src/classes.ts
set
called by 108
packages/varlock/src/lib/cache/cache-store.ts
get
called by 94
packages/varlock/src/lib/cache/cache-store.ts
parseEnvSpecDotEnvFile
called by 65
packages/env-spec-parser/src/index.ts
values
called by 54
packages/env-spec-parser/src/classes.ts

Shape

Function 1,058
Method 542
Class 170
Interface 61

Languages

TypeScript100%

Modules by API surface

packages/env-spec-parser/src/classes.ts93 symbols
packages/varlock/src/env-graph/lib/data-source.ts56 symbols
packages/varlock/src/env-graph/lib/resolver.ts48 symbols
packages/varlock/src/env-graph/lib/config-item.ts41 symbols
packages/varlock/src/env-graph/lib/env-graph.ts37 symbols
packages/plugins/kubernetes/src/plugin.ts36 symbols
packages/varlock/src/lib/local-encrypt/daemon-client.ts34 symbols
packages/plugins/1password/src/plugin.ts34 symbols
packages/varlock/src/env-graph/lib/errors.ts33 symbols
packages/plugins/bitwarden/src/plugin.ts33 symbols
packages/varlock/src/env-graph/lib/plugins.ts29 symbols
packages/varlock/src/lib/local-encrypt/index.ts28 symbols

Dependencies from manifests, versioned

@1password/sdk0.4.1-beta.1 · 1×
@1password/sdk-core0.4.1-beta.1 · 1×
@astrojs/mdx5.0.6 · 1×
@astrojs/partytown2.1.7 · 1×
@astrojs/sitemap3.7.2 · 1×
@astrojs/starlight0.39.2 · 1×
@astrojs/vue6.0.1 · 1×
@aws-sdk/client-secrets-manager3.700.0 · 1×
@aws-sdk/client-ssm3.700.0 · 1×
@aws-sdk/client-sts3.700.0 · 1×
@aws-sdk/credential-providers3.700.0 · 1×
@azure/identity4.13.0 · 1×

Datastores touched

mydbDatabase · 1 repos
(mongodb)Database · 1 repos
heroku_dbDatabase · 1 repos

For agents

$ claude mcp add varlock \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact