Living Document — March 2026

The road to v1.0

From solo developer tool to team-ready, plugin-extensible secrets platform — without ever requiring a server.

v0.0
Current Release
0
CLI Commands
0
Tests Passing
0
Platform Targets
Shipped

Five phases complete.

Shipped
v0.1.0

Core CLI & Encryption Engine

The foundation — init, set, get, list, delete, run.

  • AES-256-GCM per-secret encryption
  • Argon2id key derivation (64 MB)
  • HMAC-SHA256 vault integrity
  • Binary vault format with versioning
  • .envvault.toml configuration
  • Auto-import .env on init
Shipped
v0.2.0

Authentication & Key Management

Three auth methods, import/export, key rotation.

  • Keyfile two-factor authentication
  • OS keyring integration
  • rotate-key command
  • Export to .env / JSON
  • Import from .env / JSON
  • Git pre-commit secret scanning
Shipped
v0.3.0

Secret Lifecycle, Audit & Completions

Diff, edit, environment management, audit log.

  • diff — compare environments
  • edit — $EDITOR integration
  • env list / clone / delete
  • SQLite audit log
  • Shell completions (4 shells)
  • Version check (feature flag)
Shipped
v0.4.0

CI/CD, Distribution & Documentation

Cross-platform builds, Homebrew, crates.io, full docs.

  • GitHub Actions CI (3-OS matrix)
  • Release workflow (5 targets)
  • Homebrew formula
  • curl installer + SHA256 verification
  • crates.io publishing
  • README & CHANGELOG
Current
v0.5.0

Security Hardening + DX Polish

“Make the secure path the easy path.”

  • AI-Agent Safe Mode (--redact-output, --allowed-commands)
  • Process isolation (prctl, ptrace)
  • Secret scanning + Gitleaks rules
  • Clipboard copy with auto-clear
  • search, --dry-run, --skip-existing
  • Global config, audit hardening
What's Next

Five phases to v1.0

Priorities shift with community feedback. Contributions welcome.

Up Next
v0.6.0

Secret Lifecycle + Metadata

“Secrets expire, rotate, and carry context.”

  • Secret descriptions and tags
  • Vault format v2 + migration
  • Secret expiration (TTL)
  • Secret history — single-level undo
  • Compliance reports (JSON/PDF)
  • Tamper-evident audit (HMAC chain)
Planned
v0.7.0

Team Collaboration

“From solo tool to team-ready secrets.”

  • X25519 asymmetric encryption
  • Identity management (init, add)
  • Git-based sync with smart merge
  • Per-environment access policies
  • Cryptographic access control
  • Team onboarding/offboarding
Planned
v0.8.0

Ecosystem Integration

“Meet developers where they are.”

  • GitHub Actions + GitLab CI
  • Docker & Kubernetes Secrets
  • Import from SOPS, dotenvx, 1Password
  • Watch mode + framework loaders
  • VS Code extension
  • JetBrains plugin
Planned
v0.9.0

Advanced Security

“Defense in depth for high-security.”

  • YubiKey / FIDO2 hardware keys
  • TPM binding (machine-locked vaults)
  • Memory protection (mlock, guard)
  • Canary secrets (honeypot detection)
  • Encrypted audit log
  • ChaCha20-Poly1305 cipher option
Milestone
v1.0.0

Stable Release

“Production-ready, battle-tested, fully documented.”

  • Interactive TUI mode (ratatui)
  • WASM plugin system
  • Python, Node.js, Go SDK bindings
  • Vault format v2 frozen as stable
  • Frozen CLI interface + MSRV policy
  • Comprehensive docs site
VersionThemeKey Deliverables
v0.1 — v0.5 Foundation + Security Core CLI, crypto engine, auth, audit, CI/CD, AI-safe mode, scanning
v0.6.0Secret LifecycleMetadata, TTL, history, compliance reports, vault v2
v0.7.0Team CollaborationAsymmetric encryption, git sync, access policies
v0.8.0EcosystemCI/CD actions, Docker, framework loaders, IDE extensions
v0.9.0Advanced SecurityHardware keys, memory protection, canary secrets
v1.0.0 Stable Release TUI, plugin system, SDKs, frozen API, full docs
Guiding Principles

What we believe.

01
Local-first, always
Cloud features are opt-in layers. EnvVault works fully offline, forever. No exceptions.
02
Zero infrastructure
No server, no database, no Docker, no cloud account. cargo install and go.
03
Secure = easy
The secure path must be the easy path. If devs choose .env because it's easier, we've failed.
04
Beginner-friendly
Clear errors, helpful tips, rich output. Productive in 5 minutes with zero security background.
05
No vendor lock-in
Export to any format. Import from any tool. The vault format is documented and open.
06
Cryptographic access
Permissions enforced by encryption. No key = no access. No server needed to enforce.

Shape the future of
EnvVault.

This roadmap is community-driven. Star us, open issues, submit PRs. Every voice matters.