Skip to content

CHANGELOG.md

Latest commit

 

History

History
233 lines (165 loc) · 9.93 KB

CHANGELOG.md

File metadata and controls

233 lines (165 loc) · 9.93 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Fixed

  • Provider URIs now support spaces and special characters in names (e.g., onepassword://Home Lab). All providers receive automatically percent-decoded values via a new ProviderUrl wrapper type.
  • dotenv provider: setting a secret no longer corrupts neighboring values that contain double quotes, backslashes, dollar signs, or newlines (e.g. JSON values). The underlying serde-envfile serializer did not escape these characters; fix is pinned via a fork until lucagoslar/serde-envfile#6 lands upstream. Fixes #74.

Added

  • BWS (Bitwarden Secrets Manager) provider with async SDK integration, secret caching, and full read-write support (requires --features bws)

Changed

  • secretspec-derive now depends on secretspec with default-features = false, avoiding pulling in CLI and provider features when only the derive macro is used.

[0.8.2] - 2026-03-19

Changed

  • All provider features (gcsm, awssm, vault) are now enabled by default
  • AWS Secrets Manager (awssm) provider: batch fetching via BatchGetSecretValue API, reducing N sequential API calls to ceil(N/20) batched calls. For 30 secrets this means 2 API calls instead of 30. Note: requires the secretsmanager:BatchGetSecretValue IAM permission in addition to existing permissions.

[0.8.1] - 2026-03-15

Added

  • rsa_private_key secret generation type: generates RSA private keys in PKCS1 PEM format, defaults to 2048 bits, configurable via generate = { bits = 4096 }

Fixed

  • Check provider authentication (e.g. OnePassword, LastPass) before prompting user for secrets, via a PreflightGuard that runs the check exactly once per provider instance

[0.8.0] - 2026-03-11

Added

  • HashiCorp Vault / OpenBao (vault) provider for Vault KV v1/v2 secret storage, with support for namespaces, TLS configuration, and OpenBao compatibility (requires --features vault)
  • AWS Secrets Manager (awssm) provider for AWS secret storage integration (requires --features awssm)
  • Support running secretspec from subdirectories: the CLI now walks up the directory tree to find the nearest secretspec.toml, similar to cargo and git. Also adds a -f/--file flag (and SECRETSPEC_FILE env var) to explicitly specify the config file path (#59)

Changed

  • Extract shared block_on async helper from AWSSM and GCSM providers into provider::block_on

Fixed

  • GCSM provider no longer panics when called from within an existing tokio runtime

[0.7.2] - 2026-02-24

Added

  • Keyring and pass providers now support folder_prefix via URI (e.g., keyring://secretspec/shared/{profile}/{key}) to share secrets across projects, matching the existing OnePassword and LastPass behavior

Changed

  • Support XDG_CONFIG_HOME on macOS by switching from directories to etcetera crate. Existing macOS configs at ~/Library/Application Support/secretspec/ are automatically migrated to ~/.config/secretspec/ (#28)

Fixed

  • Reject empty values when setting a secret

[0.7.1] - 2026-02-08

Changed

  • Improved interactive prompt for missing secrets: lists all missing secrets upfront with descriptions, adds step counter ([1/3]), and uses inquire::Password for consistent masked input. Removed rpassword dependency.

Fixed

  • Use a fork of inquire to support setting multi-line secrets (#32)

[0.7.0] - 2026-02-08

Added

  • Declarative secret generation: secrets can now be auto-generated when missing by adding type and generate fields to secret config. Supported types: password, hex, base64, uuid, and command (for arbitrary shell commands). Generation triggers during check/run when a secret is missing, and the generated value is stored via the configured provider.

Changed

  • OnePassword provider: Significant performance improvement by caching authentication status and using batch fetching with parallel threads. Reduces CLI calls from 2N sequential to ~2 sequential + N parallel for N secrets.

[0.6.2] - 2026-01-27

Added

  • CLI: Add --no-prompt (-n) flag to secretspec check command for non-interactive mode. When used, the command exits with non-zero status if secrets are missing instead of prompting for values. Useful for CI/CD pipelines, scripts, and automation. (#55)

[0.6.1] - 2026-01-15

Fixed

  • OnePassword provider: Fix duplicate item creation when existing item has no extractable value. Now uses op item list for existence checks and updates by item ID to avoid ambiguity.
  • OnePassword provider: Handle "More than one item matches" error gracefully by falling back to ID-based lookup.

[0.6.0] - 2026-01-12

Added

  • Google Cloud Secret Manager (GCSM) provider for GCP secret storage integration (#53)

Fixed

  • LastPass provider: Fix creating new secrets by using correct lpass add command instead of non-existent lpass set (#54)

[0.5.1] - 2026-01-02

Changed

  • CI: Updated macOS runners from deprecated macos-13 to macos-15 (Intel) and macos-latest (ARM)

[0.5.0] - 2026-01-02

Added

  • Pass (password-store) provider for Unix password manager integration
  • ensure_secrets() method is now public in the Rust SDK
  • Support specifying full file paths (ending in .toml) in extends field, in addition to directory paths

Changed

  • Performance: avoid double validation in check() for happy path

Fixed

  • Display correct error message when extended config file is not found, instead of the misleading "No secretspec.toml found in current directory" error

[0.4.1] - 2025-11-27

Added

  • OnePassword provider: Support for SECRETSPEC_OPCLI_PATH environment variable to specify custom path to the OnePassword CLI
  • OnePassword provider: Automatic detection of Windows Subsystem for Linux 2 (WSL2) and use of op.exe on that platform
  • Documentation for as_path option in configuration reference, Rust SDK docs, and landing page
  • Documentation for per-secret providers with fallback chains on landing page

Changed

  • OnePassword provider: Use stdin instead of temporary files when creating items for WSL2 compatibility (WSL paths are invalid when passed to Windows executables)

Fixed

  • Output status/progress messages to stderr instead of stdout, fixing direnv integration where stdout was evaluated as shell code

[0.4.0] - 2025-11-24

Added

  • Profile-level default configuration: profiles.<name>.defaults section for shared settings across secrets in a profile
  • Default providers for profiles: define common providers once and have all secrets use them unless overridden
  • Default values and required settings can now be specified at profile level to reduce repetition
  • as_path option for secrets: write secret values to temporary files and return the file path instead of the value. Temporary files are automatically cleaned up when the resolved secrets are dropped in Rust SDK usage. For CLI commands (get and check), temporary files are persisted and NOT deleted after the command exits. In the Rust SDK, fields with as_path = true are generated as PathBuf or Option<PathBuf> instead of String

Changed

  • Secret required field is now Option<bool> to allow profile-level defaults to apply when not explicitly set
  • Secret default field can now inherit from profile-level defaults if not specified per-secret
  • Secret providers field can now inherit from profile-level defaults if not specified per-secret
  • Profile defaults only apply to secrets that don't explicitly set these fields

[0.3.4] - 2025-11-09

Changed

  • Secrets::check() now returns Result<ValidatedSecrets> instead of Result<()>, allowing callers to access the validated secrets

[0.3.3] - 2025-09-10

Fixed

  • CLI: Count optional secrets as "found" in the summary

[0.3.2] - 2025-09-10

Added

  • Support for piping multi-line secrets via stdin

Fixed

  • Import command now resolves secrets from all profiles, not just the active profile (fixes issue #36)
  • Fix incorrect stats in the summary for certain configurations

[0.3.1] - 2025-07-28

Fixed

  • Installers for arm/linux

[0.3.0] - 2025-07-25

Added

  • Integrate secrecy crate for secure secret handling with automatic memory zeroing
  • Add reflect() method to Provider trait for provider introspection
  • Export Provider trait from secretspec crate for use in derived code

Changed

  • Made keyring provider optional via keyring feature flag (enabled by default)
  • Unified provider parsing logic in init command to support all provider formats consistently
  • Downgraded keyring dependency to 3.6.2
  • Updated with_provider in derive macro to accept TryInto<Box<dyn Provider>> for consistent provider handling

Fixed

  • Fixed secret optionality logic: having a default value no longer makes a secret optional in generated types

[0.2.0] - 2025-07-17

Changed

  • SDK: Added set_provider() and set_profile() methods for configuration
  • SDK: Removed provider/profile parameters from set(), get(), check(), validate(), and run() methods
  • SDK: Embedded Resolved inside ValidatedSecrets

Fixed

  • Fix stdin handling for piped input in set/check commands
  • Fix SECRETSPEC_PROFILE and SECRETSPEC_PROVIDER environment variable resolution
  • Ensure CLI arguments take precedence over environment variables
  • add CLI integration tests
  • Update test script to handle non-TTY environments correctly

[0.1.2] - 2025-01-17

Fixed

  • SDK: Hide internal functions

[0.1.1] - 2025-07-16

Added

  • secretspec --version

Fixed

  • Profile inheritance: fields are merged with current profile taking precedence

[0.1.0] - 2025-07-16

Initial release of SecretSpec - a declarative secrets manager for development workflows.