Changelog

All notable changes to dotsecenv are documented here. Each version includes changes from the previous release.

v0.5.2

April 14, 2026

Features

Claude Code plugin with two new skills: /dotsecenv:secrets for CLI operations and /dotsecenv:secenv for .secenv file interpretation (#98)

Bug Fixes

init vault -v INDEX now resolves numeric indices to config vault paths instead of creating a file named after the index (#100)
secret get no longer gates on AvailableTo metadata; GPG agent determines decryptability, allowing secrets encrypted by non-logged-in keys to be decrypted (#104)

Other

Update FIPS 140-3 cryptographic module from GOFIPS140=v1.0.0 to GOFIPS140=v1.26.0 (#105)
Update golang.org/x/sys to v0.43.0, golang.org/x/term to v0.42.0 (#101, #102)
Update step-security/harden-runner action to v2.17.0 (#99, #103)

v0.5.1

March 30, 2026

Features

Re-add identity add command for explicitly adding GPG identities to vaults by fingerprint, useful for onboarding new team members and pre-authorizing keys (#97)
Make dse reload clear the secret stack and re-fetch all secrets (plugin#26)

Bug Fixes

Other

Defined a global Renovate configuration for the dotsecenv GitHub org

v0.5.0

March 28, 2026

Features

Add dse up command to load ancestor .secenv files when jumping directly into a subdirectory (plugin#23)

Bug Fixes

Fix false non-interactive terminal warning when secrets are accessed via shell plugin command substitution (#90)
Fix zsh local declaration leaking secret values on re-entry (plugin#15)
Fix unnecessary vault calls when navigating back to parent directory (plugin#17)

Other

Add test coverage for secret forget --ignore-not-found, smart JSON marshaling, and secret get --json
Update Go to 1.26.1 and upgrade dependencies (go-crypto v1.4.1, gopenpgp v3.4.0, x/sys v0.42.0, x/term v0.41.0)
Update actions/create-github-app-token to v3 and step-security/harden-runner to v2.16.0

v0.4.8

March 6, 2026

Features

Add universal install script (install.sh) as the primary installation method, with full CLI flags and environment variable support, checksum/GPG verification, and automatic shell plugin and completions setup
Add contrib/terraform-credentials-dotsecenv wrapper script implementing Terraform’s credentials helper protocol (get/store/forget verbs)
Add --json flag to secret store for JSON validation
Add --json flag to secret get for structured JSON output with smart marshaling
Add --ignore-not-found flag to secret forget for idempotent deletes
Add explicit --fix flag to vault doctor for auto-fixing without interactive prompts

Other

Remove deprecated strict mode
Add community standards (CODE_OF_CONDUCT, CONTRIBUTING, SECURITY)

v0.4.6

February 1, 2026

Features

Warn when decrypting secrets in non-interactive terminals
Rename subcommand: secret put to secret store

Other

Update actions/download-artifact to v7
GitHub workflow and documentation updates

v0.4.5

January 30, 2026

Other

Prove ‘no call home’ with hermetic E2E testing

v0.4.4

January 25, 2026

Bug Fixes

Remove extra newline from secret get output
Allow Claude Code reviews for bots

Other

Remove extraneous data structures, print helpful errors, reduce complexity

v0.4.3

January 12, 2026

Features

Add list mode to secret get command

Bug Fixes

Consolidate hash computation to prevent signing/validation mismatch (breaking change)
Allow secret put to accept piped input

v0.4.2

January 12, 2026

Bug Fixes

Update homebrew-tap with post-notarization checksums

v0.4.1

January 12, 2026

Bug Fixes

Remove quarantine hook for notarized Homebrew binaries

v0.4.0

January 12, 2026

Features

Add macOS notarization for Darwin builds
Add identity create command and signed login proof
Simplify vault subcommands and add doctor health checks
Refactor strict mode option and simplify commands, warnings, and errors
Support multiple vault versions
Add identity add -v with clearer output and strict error behavior

Bug Fixes

Include .sig files in checksums regeneration
Attest Darwin archives after notarization
Detect GPG program before login handling
Add checkout step for verifying notarization
Consistent errors on identity add with missing/unreadable vaults
identity add should always prompt on multiple options
Uniform error messages in strict mode
Secrets are typed without echoing to terminal

Other

Add Claude Code Security Review workflow
Add Claude Code GitHub workflow
Sandbox helper for GPG e2e testing
Update dependencies (golang.org/x/term, golang.org/x/sys, actions/checkout)

v0.3.3

January 4, 2026

Bug Fixes

Release automation fixes

v0.3.2

January 4, 2026

Features

Add init config flags
Add GitHub Action support for init config with flags

Other

Update tagline
Suggest correct namespace separator if invalid one provided
Allow releases to trigger website redeploys

v0.3.1

January 3, 2026

Features

Secret keys now support dots (.)

Other

E2E test runs no longer pollute user’s home directory
Only offer vaults that exist for prompt selection
Trigger website update on release

v0.3.0

January 2, 2026

Features

FIPS 140-3 compliance via crypto/fips140
Additional secret subcommands: store, forget
Configurable GPG program path

Other

Update dependencies (peter-evans/repository-dispatch, mlugg/setup-zig, actions/attest-build-provenance, actions/setup-go)
Add renovate.json for automated dependency updates

v0.2.1

December 31, 2025

Features

Configurable GPG program
Fail if GPG not found on init

Bug Fixes

Fix gpg_program logic

Other

Improve command error handling
Command suggestions for identity/vault check and login
Pre-commit hooks and CI improvements
Started working on Windows arm64/amd64 support

v0.2.0

December 27, 2025

Features

Use FIPS 140-3 validated boringcrypto for Linux builds
Default to FIPS 186-5 compliant algorithms and AES-256-GCM/AEAD encryption (RFC 9580)

Bug Fixes

Fix arm/amd compilation with CGO
Migrate away from deprecated mise ubi backend

v0.1.0

December 25, 2025

Features

Define namespace::secret naming convention

Other

Expanded FAQ and shell plugin references
Improved identity error messages

v0.0.11

January 12, 2026

Bug Fixes

Attest Darwin archives after notarization
Detect GPG program before login handling

v0.0.10

January 12, 2026

Bug Fixes

Add checkout step for verifying notarization

v0.0.9

January 12, 2026

Features

Add macOS notarization for Darwin builds
Add identity create command and signed login proof
Simplify vault subcommands and add doctor health checks
Refactor strict mode option and simplify commands
Support multiple vault versions
Additional secret subcommands: store, forget
Init config flags
Secret keys support dots
FIPS 140-3 via crypto/fips140
Configurable GPG program path
FIPS 186-5 compliant algorithms and AES-256-GCM/AEAD encryption

Bug Fixes

Consistent errors on identity add with missing/unreadable vaults
Identity add prompts on multiple options
Uniform error messages in strict mode
Secrets typed without echoing to terminal
Release automation fixes
Arm/amd compilation with CGO

Other

Claude Code Security Review and GitHub workflows
Sandbox helper for GPG e2e testing
Dependency updates
Pre-commit hooks and test improvements

v0.0.8

December 22, 2025

Other

Remove initial macOS call from tests

v0.0.7

December 22, 2025

Bug Fixes

Fix macOS quarantine prompt

Other

Cache artifacts in tests

v0.0.6

December 22, 2025

Bug Fixes

Homebrew man pages are correctly included

v0.0.5

December 22, 2025

Bug Fixes

Fix GitHub Action GPG signature verification

v0.0.4

December 22, 2025

Features

Generate SBOMs and trigger e2e tests after release

v0.0.3

December 22, 2025

Features

Trigger e2e tests after release

Bug Fixes

Fix SBOM generation
Fix GitHub Action build-from-source

v0.0.2

December 21, 2025

Features

Add GitHub Action

Other

Fix release tag format

v0.0.1

December 20, 2025

Initial release.

Features

Core secret management CLI
GPG-based encryption at rest
Vault format for organizing secrets
Identity management commands
Shell integration support