Varlock

Varlock is an open-source CLI tool that brings schema-driven configuration management to .env files, making them safe for both AI agents and human developers. It provides a single source of truth via .env.schema files with type validation, coercion, and IntelliSense support. Varlock is purpose-built for the AI era, ensuring agents can read config context without ever accessing secret values, while proactive leak scanning and runtime log redaction prevent accidental exposure.

• AI-safe config — AI agents read your schema (variable names, types, descriptions) but never your actual secret values, keeping credentials secure in agentic workflows.
• Proactive leak scanning — Run varlock scan or use git hooks to detect secrets accidentally committed or generated in AI-produced code.
• Runtime protection — Automatic log redaction and leak prevention guard secrets at runtime across your application.
• Schema validation & type safety — Define types (url, port, enum, string with constraints), required flags, and default values with full IntelliSense support via the VSCode extension.
• Multi-environment management — Auto-loads .env.* files based on your current environment flag, with explicit import support for flexible workflows.
• Flexible plugin system — Pull secrets declaratively from 1Password, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, Infisical, Bitwarden, KeePass, Passbolt, Proton Pass, and more.
• Framework integrations — Drop-in integrations for Astro, Next.js, and Vite add security guardrails with minimal setup.
• MCP server support — Varlock exposes its docs via MCP (HTTP and SSE) for seamless AI assistant integration.
• @env-spec DSL — Built on a new open DSL using JSDoc-style comments to attach schema and functionality directly to .env files.
• Easy installation — Install via npx varlock init, Homebrew, cURL, or Docker; run varlock load to validate and print your environment.