Skip to content

Add caching system, random generators, and plugin cache API#577

Open
theoephraim wants to merge 8 commits intofeature/secure-enclave-pluginfrom
feature/resolver-cache
Open

Add caching system, random generators, and plugin cache API#577
theoephraim wants to merge 8 commits intofeature/secure-enclave-pluginfrom
feature/resolver-cache

Conversation

@theoephraim
Copy link
Copy Markdown
Member

@theoephraim theoephraim commented Apr 9, 2026

Summary

  • First-class caching system with encrypted JSON storage, cache() resolver function, and plugin cache API (plugin.cache.get/set)
  • Random value generators: randomInt(), randomFloat(), randomUuid(), randomHex(), randomString() — all cryptographically secure
  • Plugin caching opt-in via cacheTtl option on init decorators (1password, aws-secrets, bitwarden, google-secret-manager)
  • Interactive varlock cache CLI for browsing and managing cached entries
  • --clear-cache / --skip-cache flags on varlock load, varlock run, varlock printenv
  • Cache indicators in varlock load pretty output and varlock explain
  • Flexible TTL formats: 1h, 1hr, 30mins, 2days, 1week, etc.
  • Type inference through cache() (e.g., cache(randomInt()) infers number type)
  • Warning when wrapping static values in cache()
  • Invalid cacheTtl on plugins surfaces as a proper init error that halts before resolution

Test plan

  • 459 tests passing (56 new across 4 test files)
  • Manual test: varlock load with cache() wrapped resolvers — verify cached indicator shows on second run
  • Manual test: varlock cache interactive browser — verify entries display and can be deleted
  • Manual test: varlock load --clear-cache and --skip-cache flags
  • Manual test: 1password plugin with cacheTtl="1hr" — verify cache hit on second load
  • Manual test: invalid cacheTtl halts with error before resolution

🤖 Generated with Claude Code

theoephraim and others added 8 commits April 9, 2026 13:15
@theoephraim @claude
add caching system, random value generators, and cache() resolver
7989101 
First-class caching for varlock with encrypted storage:

- cache() resolver function wraps any resolver to persist values across
  invocations. Supports ttl (defaults to forever), custom key, and
  auto-invalidation when the wrapped resolver expression changes.
- Encrypted JSON cache store at ~/.config/varlock/cache/ using the
  existing local-encrypt system. Values are JSON-serialized to preserve
  types (numbers, booleans, objects).
- AsyncLocalStorage-based resolution context threads cache store and
  current item to resolvers without modifying the Resolver class.
- Plugin cache API via plugin.cache.get/set with automatic
  plugin:name:key namespacing.

Random value generator resolvers:
- randomInt(min?, max?) - cryptographically secure random integer
- randomFloat(min?, max?, precision=N) - random float
- randomUuid() - UUID v4
- randomHex(bytes?) - random hex string
- randomString(length?, charset=S) - random alphanumeric string

CLI additions:
- varlock cache / varlock cache clear commands
- --clear-cache and --skip-cache flags on load/run/printenv
- Cache hit indicators in varlock load pretty output
- Cache section in varlock explain output

Documentation for all new functions and CLI commands.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
add opt-in caching to 1password plugin via cacheTtl option
421129e 
@initOp() now accepts a cacheTtl option that caches op() and
opLoadEnvironment() results via the plugin cache API. The TTL is
resolved at runtime so it can be dynamic — e.g.,
cacheTtl=if(forEnv(dev), "1h") to only cache during development.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
move cache and process.env indicators inline with value
1982629 
Display cache hit (📦) and process.env override (🟡) indicators on
the same line as the resolved value instead of separate lines, making
the varlock load pretty output more compact and scannable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
derive cache TTL display from actual cache entry expiry
464d4df 
Add expiresAt to cache hit info so varlock explain can show the actual
TTL for any cached value — including plugin-cached values that don't
use the cache() resolver. TTLs over ~50 years display as "forever".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
make varlock cache command interactive
4ae32f6 
Running `varlock cache` now shows an interactive list of all cached
entries with TTL and age info. Users can scroll through entries and
delete individual ones, or clear all at once. `varlock cache clear`
still works as a non-interactive fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
support flexible TTL unit formats (hr, mins, days, etc.)
9c2a1ca 
TTL strings now accept shorthand and full-word variants:
s/sec/secs/second/seconds, m/min/mins/minute/minutes,
h/hr/hrs/hour/hours, d/day/days, w/wk/wks/week/weeks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
add opt-in caching to aws-secrets, bitwarden, and google-secret-manag…
bb9c087 
…er plugins

Same pattern as 1password: add cacheTtl option to each plugin's init
decorator. The TTL is resolved at runtime so it can be dynamic (e.g.,
cacheTtl=if(forEnv(dev), "1h")). Cache keys are scoped per plugin
and instance.

- aws-secrets: caches awsSecret() and awsParam() calls
- bitwarden: caches bitwarden() calls
- google-secret-manager: caches gsm() calls

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
validate cacheTtl at plugin init and surface as plugin warning
0a5bbad 
Extract resolveCacheTtl() helper that validates the TTL format during
the plugin's execute() phase. Invalid values (like "xyz") now show as
plugin-level warnings rather than surfacing as per-item resolution
errors. All 4 plugins (1password, aws-secrets, bitwarden, gsm) updated.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 9, 2026

🦋 Changeset detected

Latest commit: 0a5bbad

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
varlock Minor
@varlock/astro-integration Major
@varlock/cloudflare-integration Major
@varlock/expo-integration Major
@varlock/nextjs-integration Major
@varlock/vite-integration Major
@varlock/1password-plugin Major
@varlock/aws-secrets-plugin Major
@varlock/azure-key-vault-plugin Major
@varlock/bitwarden-plugin Major
@varlock/dashlane-plugin Major
@varlock/google-secret-manager-plugin Major
@varlock/hashicorp-vault-plugin Major
@varlock/infisical-plugin Major
@varlock/keepass-plugin Major
@varlock/pass-plugin Major
@varlock/passbolt-plugin Major
@varlock/proton-pass-plugin Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Apr 9, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 varlock-website 0a5bbad Commit Preview URL

Branch Preview URL		 Apr 09 2026, 11:33 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core:varlock core:website maintainer plugin:aws-secrets plugin:bitwarden plugin:google-secret-manager plugin:1password

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim