varlock() native local encryption

[theoephraim]

Summary

Adds built-in device-local encryption to varlock via a new varlock() resolver function and native platform binaries. Encrypted secrets can be stored directly in .env files and are automatically decrypted at load time — no external secret manager required.

Encryption backends

The best available backend is selected automatically at runtime:

Platform	Backend	Key Storage	Biometric
macOS	Secure Enclave (Swift binary)	Hardware Secure Enclave	Touch ID / Face ID
Windows	DPAPI + Windows Hello (Rust binary)	Windows credential store	Windows Hello (face/fingerprint/PIN)
Linux	TPM2 (Rust binary)	TPM2 hardware (sealed keys)	No
All	File-based fallback (pure JS)	~/.varlock/ directory	No

All backends use the same ECIES wire format (P-256 ECDH + HKDF-SHA256 + AES-256-GCM), so encrypted payloads are portable across implementations.

On macOS, the Secure Enclave provides hardware-backed keys that cannot be extracted, with optional biometric gating via Touch ID. On Windows, DPAPI protects keys scoped to the current user with optional Windows Hello biometric verification. On Linux, keys are sealed to the TPM2 chip when available. A daemon process manages biometric sessions and IPC on all native platforms.

New CLI commands

• varlock encrypt — Encrypt values interactively or in bulk (--file .env.local encrypts all @sensitive plaintext values in-place)
• varlock reveal — Securely view/copy decrypted sensitive values (uses alternate screen buffer to avoid scrollback capture, --copy for clipboard with auto-clear)
• varlock lock — Invalidate the biometric session, requiring re-authentication for next decrypt

The varlock() resolver

Two modes:

• Decrypt: varlock("local:<ciphertext>") — decrypts an encrypted payload at load time
• Prompt: varlock(prompt) — prompts for a secret on first load, encrypts it, and writes the encrypted value back to the source file

New packages

• @varlock/encryption-binary-swift — macOS Secure Enclave binary (Swift, universal arm64+x86_64)
• @varlock/encryption-binary-rust — Windows/Linux encryption binary (Rust, cross-compiled for x64/arm64)

Local encryption library (src/lib/local-encrypt/)

• index.ts — Public API: encryptValue, decryptValue, ensureKey, getBackendInfo, lockSession
• crypto.ts — Pure JS ECIES implementation (wire-compatible with native binaries)
• file-backend.ts — File-based key storage fallback
• daemon-client.ts — IPC client for native binary daemons (Unix sockets / named pipes)
• binary-resolver.ts — Platform-specific binary discovery (SEA sibling → npm bundled → dev fallback)
• builtin-resolver.ts — The varlock() resolver registration

CI/CD

• New workflows: build-native-macos.yaml, build-native-rust.yaml, notarize-native-macos.yaml, binary-release.yaml
• Updated test.yaml and release.yaml to include native binary build steps

Documentation

• CLI reference: added encrypt, reveal, lock commands
• Functions reference: added varlock() resolver docs
• Secrets guide: replaced "coming soon" placeholder with full local encryption guide
• Introduction: updated features list to mention built-in encryption
• Usage guide: added encrypt and reveal command overviews

Test plan

• bun run test — unit tests pass (includes crypto.test.ts and file-backend.test.ts)
• varlock encrypt — interactive single-value encryption works
• varlock encrypt --file .env.local — batch file encryption works
• varlock reveal — interactive picker shows sensitive values in alt screen
• varlock reveal KEY --copy — clipboard copy + auto-clear works
• varlock lock — invalidates biometric session on macOS
• varlock(prompt) — prompts for value and writes back encrypted payload
• varlock("local:...") — decrypts values during varlock load / varlock run
• File-based fallback works when no native binary is available
• macOS Secure Enclave binary builds and signs correctly
• Rust binary cross-compiles for linux-x64, linux-arm64, windows-x64, windows-arm64
• Docs site builds without errors

[changeset-bot]

🦋 Changeset detected

Latest commit: 653c7b1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages

Name	Type
varlock	Minor
@varlock/astro-integration	Major
@varlock/cloudflare-integration	Major
@varlock/expo-integration	Major
@varlock/nextjs-integration	Major
@varlock/vite-integration	Major
@varlock/1password-plugin	Major
@varlock/aws-secrets-plugin	Major
@varlock/azure-key-vault-plugin	Major
@varlock/bitwarden-plugin	Major
@varlock/dashlane-plugin	Major
@varlock/google-secret-manager-plugin	Major
@varlock/hashicorp-vault-plugin	Major
@varlock/infisical-plugin	Major
@varlock/keepass-plugin	Major
@varlock/pass-plugin	Major
@varlock/passbolt-plugin	Major
@varlock/proton-pass-plugin	Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@varlock/ci-env-info

npm i https://pkg.pr.new/@varlock/ci-env-info@567

varlock

npm i https://pkg.pr.new/varlock@567

@varlock/astro-integration

npm i https://pkg.pr.new/@varlock/astro-integration@567

@varlock/cloudflare-integration

npm i https://pkg.pr.new/@varlock/cloudflare-integration@567

@varlock/expo-integration

npm i https://pkg.pr.new/@varlock/expo-integration@567

@varlock/nextjs-integration

npm i https://pkg.pr.new/@varlock/nextjs-integration@567

@varlock/vite-integration

npm i https://pkg.pr.new/@varlock/vite-integration@567

@varlock/1password-plugin

npm i https://pkg.pr.new/@varlock/1password-plugin@567

@varlock/aws-secrets-plugin

npm i https://pkg.pr.new/@varlock/aws-secrets-plugin@567

@varlock/azure-key-vault-plugin

npm i https://pkg.pr.new/@varlock/azure-key-vault-plugin@567

@varlock/bitwarden-plugin

npm i https://pkg.pr.new/@varlock/bitwarden-plugin@567

@varlock/dashlane-plugin

npm i https://pkg.pr.new/@varlock/dashlane-plugin@567

@varlock/google-secret-manager-plugin

npm i https://pkg.pr.new/@varlock/google-secret-manager-plugin@567

@varlock/hashicorp-vault-plugin

npm i https://pkg.pr.new/@varlock/hashicorp-vault-plugin@567

@varlock/infisical-plugin

npm i https://pkg.pr.new/@varlock/infisical-plugin@567

@varlock/keepass-plugin

npm i https://pkg.pr.new/@varlock/keepass-plugin@567

@varlock/pass-plugin

npm i https://pkg.pr.new/@varlock/pass-plugin@567

@varlock/passbolt-plugin

npm i https://pkg.pr.new/@varlock/passbolt-plugin@567

@varlock/proton-pass-plugin

npm i https://pkg.pr.new/@varlock/proton-pass-plugin@567

commit: 653c7b1

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​libc@​0.2.184
	cargo/​nix@​0.29.0
	cargo/​serde@​1.0.228
	cargo/​serde_json@​1.0.149
	cargo/​aes-gcm@​0.10.3
	cargo/​base64@​0.22.1
	cargo/​elliptic-curve@​0.13.8
	cargo/​hkdf@​0.12.4
	cargo/​hmac@​0.12.1
	cargo/​p256@​0.13.2
	cargo/​rand@​0.8.5
	cargo/​sha2@​0.10.9
	cargo/​windows@​0.58.0

View full report

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	varlock-website	653c7b1	Commit Preview URL Branch Preview URL	Apr 09 2026, 07:13 AM

[philmillman]

Testing in Windows:

WSL2:

(this is a pretty old image, I will update and try again)

Native windows works (including fingerprint prompt)