varlock@0.9.0

Minor Changes

• #615 9c38e3a - Add --no-inject-graph CLI flag to varlock run to opt out of injecting the __VARLOCK_ENV serialized config graph into the child process environment. This prevents sensitive values from being exposed via environment inspection (e.g., env, printenv) in interactive shells, long-lived processes, or LLM-driven agents.

Patch Changes

• #627 f93c23f - Fix: escape */ sequences in item descriptions to prevent premature JSDoc comment closure in generated TypeScript types

• #622 6f90d87 - Fix leak detection for Uint8Array/ArrayBuffer response bodies

  scanForLeaks now detects secrets in Uint8Array, ArrayBufferView, and ArrayBuffer values. Previously these fell through unscanned, so secrets returned as binary-encoded response bodies (common in Cloudflare Workers) were not caught.

@varlock/keeper-plugin@0.0.2

Patch Changes

• #545 c1b0943 - Add Keeper Security plugin for loading secrets from Keeper vaults via the Secrets Manager SDK. Supports fetching secrets by record UID, title, or Keeper notation syntax, with access to both standard and custom fields. Includes keeperSmToken data type for config token validation, @initKeeper() root decorator for initialization, and keeper() resolver function for secret retrieval.

• Updated dependencies [9c38e3a, f93c23f, 6f90d87]:

  • varlock@0.9.0

@varlock/doppler-plugin@0.0.2

Patch Changes

• #530 93aa851 - Add Doppler plugin for loading secrets from Doppler projects and configs

• Updated dependencies [9c38e3a, f93c23f, 6f90d87]:

  • varlock@0.9.0

@varlock/cloudflare-integration@0.1.0

Minor Changes

• #622 6f90d87 - Add varlockSvelteKitCloudflarePlugin for SvelteKit + Cloudflare Workers projects

  New varlockSvelteKitCloudflarePlugin exported from @varlock/cloudflare-integration/sveltekit for SvelteKit projects deploying via @sveltejs/adapter-cloudflare. Unlike varlockCloudflareVitePlugin, it does not include @cloudflare/vite-plugin (which doesn't support SvelteKit — see cloudflare/workers-sdk#8922). Instead it injects the cloudflare:workers runtime env loader into SvelteKit's SSR entry and externalizes the import so Rollup preserves it in the built _worker.js. Non-sensitive vars and the __VARLOCK_ENV secret are still uploaded via varlock-wrangler deploy.

  Also adds a conflict guard to varlockCloudflareVitePlugin that errors when the user has manually added @cloudflare/vite-plugin to avoid silent double-registration.

Patch Changes

• Updated dependencies [9c38e3a, f93c23f, 6f90d87]:
  • varlock@0.9.0

@varlock/azure-key-vault-plugin@0.1.0

Minor Changes

• 47722d2 Thanks @bram209! - Add JSON key extraction and per-run secret caching to azureSecret()

@varlock/akeyless-plugin@0.0.2

Patch Changes

• #544 d1925f0 - Add Akeyless plugin for loading secrets from Akeyless Platform. Supports API Key authentication, static/dynamic/rotated secrets, self-hosted gateway, multiple instances, and automatic token caching.

• Updated dependencies [9c38e3a, f93c23f, 6f90d87]:

  • varlock@0.9.0

varlock@0.8.2

Patch Changes

• #620 0f3ca3b - Fix regex literal parsing ambiguity with file paths

  Removed grammar-level regex literal (/pattern/) parsing which caused paths like /folder/foo/bar to be incorrectly parsed as regex patterns. Regex-like strings are now detected at runtime by specific consumers (remap() match values, matches type option) instead of at the grammar level. Unquoted strings that look like /pattern/flags are treated as regex in those contexts; wrap in quotes to force literal string matching.

• #618 0db7d1d - Fix varlock run on Windows: correctly build the cmd.exe command string when spawning .cmd/.bat files

  Previously, individual arguments were double-quoted separately (e.g. "tsx.cmd" "watch" "src/index.ts"). Because cmd.exe's /s /c strips only the first and last quote from the entire command string, this left a stray " after the command name, causing errors like "The system cannot find the path specified."

  The fix wraps the entire inner command string in a single pair of outer quotes (e.g. "tsx.cmd watch src/index.ts"), which is what cmd.exe expects. Paths or arguments that contain spaces are individually quoted inside those outer quotes.

  Additionally, when findCommand cannot resolve a bare command name to a .cmd/.bat path, varlock now falls back to routing through cmd.exe so that Windows PATHEXT lookups (e.g. tsx → tsx.cmd, pnpm → pnpm.cmd) are handled automatically.

env-spec-language@0.1.3

Patch Changes

• #620 0f3ca3b - Fix regex literal parsing ambiguity with file paths

  Removed grammar-level regex literal (/pattern/) parsing which caused paths like /folder/foo/bar to be incorrectly parsed as regex patterns. Regex-like strings are now detected at runtime by specific consumers (remap() match values, matches type option) instead of at the grammar level. Unquoted strings that look like /pattern/flags are treated as regex in those contexts; wrap in quotes to force literal string matching.

@env-spec/parser@0.3.1

Patch Changes

• #620 0f3ca3b - Fix regex literal parsing ambiguity with file paths

  Removed grammar-level regex literal (/pattern/) parsing which caused paths like /folder/foo/bar to be incorrectly parsed as regex patterns. Regex-like strings are now detected at runtime by specific consumers (remap() match values, matches type option) instead of at the grammar level. Unquoted strings that look like /pattern/flags are treated as regex in those contexts; wrap in quotes to force literal string matching.

varlock@0.8.1

Patch Changes

• #610 753086e - fix: noTrailingSlash url type option now correctly rejects URLs like https://example.com/