Changelog

All notable changes to dotsecenv are documented here. Each version includes changes from the previous release.

Upcoming

Unreleased

Features

init secenv bootstraps a .secenv file from your existing vaults (#183)

Bug Fixes

Shell plugin: reload secrets on directory re-entry, fix the {dotsecenv/} literal regression, and fail fast when the store is unavailable (#190)
Shell plugin reports plain env vars and secrets on separate lines (#192)

Other

Add a CLI reference drift check, gated before release, so the website reference stays in sync with the binary (#211)
Release notes now build up continuously under “Upcoming”: a new changelog skill adds a one-line entry per PR and stamps the section at release time (#212)
The changelog and cli-reference-drift maintainer skills moved to .claude/skills/, so the published plugin now ships only the secenv and secrets skills to installers (#213)
Backfill the changelog for the v0.6.2 through v0.6.16 releases and the unreleased PRs since (#214)
Standardize CI keypair naming and document key scope (#208)
Document the squash-merge commit message and PR description conventions (#194, #195)
Scope the agent vendoring rule to atomic major upgrades in their own PR (#186, #188)
Add a blog post on signed monorepo releases with GitHub Workflows (#173, #174)
Fix the fish plugin test suite and run it in CI on fish 3.x and 4.x (#193)
Unify Expressive Code frame corners and border color on the website (#191)
Update Astro and Starlight for the website build (#175, #179, #200, #201, #202, #206, #207, #209)
Update lint tooling: eslint, typescript-eslint, eslint-plugin-mdx (#172, #176, #181, #182, #196, #198, #205)
Update Go modules: x/crypto (security), x/term, and bubbletea/lipgloss v2 (#178, #187, #197, #204)
Update GitHub Actions and the Go toolchain: checkout, harden-runner, goreleaser-action, Go 1.26.4 (#177, #180, #199)
Update the sharp image library (#210)
Renovate lock file maintenance (#171)

v0.6.16

May 18, 2026

Covers releases v0.6.2 through v0.6.16, most of which moved packaging into the monorepo and hardened the release pipeline.

Features

Distribution packages now live in the monorepo and publish on release (#136, #152)
Smoke-test brew install right after the homebrew-tap push (#135)

Bug Fixes

Fix website rendering and performance (#165)
Harden release verification: import key.asc before verifying historical assets, wait on homebrew-tap CI and the CDN, and fix the Linux arm64 checksum (#148, #168)

Other

Retract v0.6.10 and v0.6.11, and add retraction tooling (#151)
Sign release pushes via releasetools/actions/signed-push, commit the homebrew-tap cask over GraphQL, and tag the tap at the release version (#160, #161, #163)
SHA-pin every third-party action, set least-privilege GITHUB_TOKEN permissions, and drop unused scopes across workflows (#147, #167, #169)
Add a single required ci-merge-gate status check and verify drift in satellite repos (#153, #156, #159, #166)
Prune packages by keeping the last patch of the last N minors, and link get.dotsecenv.com on publish (#162, #170)
Restructure CI workflows, add a release pre-flight check, and ignore .claude/settings.local.json (#142, #146, #149, #150, #158)
Close docs gaps in the GPG agent, offboarding, and multi-env FIPS guidance (#157)
Update dependencies: astro, @astrojs/starlight, starlight-llms-txt, typescript-eslint, harden-runner, x/term (#138, #139, #140, #141, #143, #144, #145)

v0.6.1

May 7, 2026

Features

Reject backdated and far-future appends at write time. A new entry’s added_at must not predate the most recent existing entry, and must not be more than 5 minutes in the future. This blocks trivial backdating and prevents a single forward-dated write from DoS-ing every subsequent append until wall-clock catches up (#134)
login filters out sign-only keys when matching candidates, and adds a blank line before the login summary for cleaner output (#133)
secret get --all --json now exposes available_to and signed_by for each entry (#130)

Bug Fixes

make demo now produces a working asciinema recording, written to a path that survives sandbox cleanup (#124, #125)

Other

Breaking: gpg.program now defaults to resolving gpg via PATH, and the --no-gpg-program flag is removed. Set gpg.program explicitly to an absolute path if you need to pin a specific binary (#119)
Drop the deprecated fingerprint migration warning and dead output/compat.go (#132)
Add examples/ directory with self-contained scenarios, plus recipes/ for Context7 retrieval coverage (#117, #122, #123)
Claim Context7 library ownership via context7.json for documentation indexing (#121, #127, #128)
Add AGENTS.md for AI coding agents (#118)
Require PRs and tests for all changes to main (#131)
Fix broken cross-refs and link examples to site tutorials (#120)
Align example-05/ debugging table with real plugin messages (#129)

v0.6.0

May 4, 2026

Features

Trusted policy directory at /etc/dotsecenv/policy.d/ for system-wide admin rules. Fragments can pin allow-lists (approved_algorithms, approved_vault_paths) and scalars (behavior.*, gpg.program). Allow-lists intersect with user config; scalars override the user. Two new commands ship with it: dotsecenv policy list and dotsecenv policy validate, both with --json. Policy loads fail-closed, with a distinct exit code per error category. Full design at Security Policies. (#114, #115, #116)

Bug Fixes

Update github.com/protonmail/gopenpgp/v3 to v3.4.1 (#112)

Other

Breaking: SUID mode is gone. Installation no longer needs root to set up SUID bits. To enforce admin policy across users, use the new /etc/dotsecenv/policy.d/ instead. (#110)
Breaking: The deprecated Config.Fingerprint YAML field and DOTSECENV_FINGERPRINT environment variable are removed. Use dotsecenv login <FP> to populate the signed login: block. (#109)
Drop /var/lib/dotsecenv/vault from the default vault path list (#111)
Update step-security/harden-runner action to v2.19.1 (#107, #108, #113)

v0.5.2

April 14, 2026

Features

Claude Code plugin with two new skills: /dotsecenv:secrets for CLI operations and /dotsecenv:secenv for .secenv file interpretation (#98)

Bug Fixes

init vault -v INDEX now resolves numeric indices to config vault paths instead of creating a file named after the index (#100)
secret get no longer gates on AvailableTo metadata; GPG agent determines decryptability, allowing secrets encrypted by non-logged-in keys to be decrypted (#104)

Other

Update FIPS 140-3 cryptographic module from GOFIPS140=v1.0.0 to GOFIPS140=v1.26.0 (#105)
Update golang.org/x/sys to v0.43.0, golang.org/x/term to v0.42.0 (#101, #102)
Update step-security/harden-runner action to v2.17.0 (#99, #103)

v0.5.1

March 30, 2026

Features

Re-add identity add command for explicitly adding GPG identities to vaults by fingerprint, useful for onboarding new team members and pre-authorizing keys (#97)
Make dse reload clear the secret stack and re-fetch all secrets (plugin#26)

Bug Fixes

Other

Defined a global Renovate configuration for the dotsecenv GitHub org

v0.5.0

March 28, 2026

Features

Add dse up command to load ancestor .secenv files when jumping directly into a subdirectory (plugin#23)

Bug Fixes

Fix false non-interactive terminal warning when secrets are accessed via shell plugin command substitution (#90)
Fix zsh local declaration leaking secret values on re-entry (plugin#15)
Fix unnecessary vault calls when navigating back to parent directory (plugin#17)

Other

Add test coverage for secret forget --ignore-not-found, smart JSON marshaling, and secret get --json
Update Go to 1.26.1 and upgrade dependencies (go-crypto v1.4.1, gopenpgp v3.4.0, x/sys v0.42.0, x/term v0.41.0)
Update actions/create-github-app-token to v3 and step-security/harden-runner to v2.16.0

v0.4.8

March 6, 2026

Features

Add universal install script (install.sh) as the primary installation method, with full CLI flags and environment variable support, checksum/GPG verification, and automatic shell plugin and completions setup
Add contrib/terraform-credentials-dotsecenv wrapper script implementing Terraform’s credentials helper protocol (get/store/forget verbs)
Add --json flag to secret store for JSON validation
Add --json flag to secret get for structured JSON output with smart marshaling
Add --ignore-not-found flag to secret forget for idempotent deletes
Add explicit --fix flag to vault doctor for auto-fixing without interactive prompts

Other

Remove deprecated strict mode
Add community standards (CODE_OF_CONDUCT, CONTRIBUTING, SECURITY)

v0.4.6

February 1, 2026

Features

Warn when decrypting secrets in non-interactive terminals
Rename subcommand: secret put to secret store

Other

Update actions/download-artifact to v7
GitHub workflow and documentation updates

v0.4.5

January 30, 2026

Other

Prove ‘no call home’ with hermetic E2E testing

v0.4.4

January 25, 2026

Bug Fixes

Remove extra newline from secret get output
Allow Claude Code reviews for bots

Other

Remove extraneous data structures, print helpful errors, reduce complexity

v0.4.3

January 12, 2026

Features

Add list mode to secret get command

Bug Fixes

Consolidate hash computation to prevent signing/validation mismatch (breaking change)
Allow secret put to accept piped input

v0.4.2

January 12, 2026

Bug Fixes

Update homebrew-tap with post-notarization checksums

v0.4.1

January 12, 2026

Bug Fixes

Remove quarantine hook for notarized Homebrew binaries

v0.4.0

January 12, 2026

Features

Add macOS notarization for Darwin builds
Add identity create command and signed login proof
Simplify vault subcommands and add doctor health checks
Refactor strict mode option and simplify commands, warnings, and errors
Support multiple vault versions
Add identity add -v with clearer output and strict error behavior

Bug Fixes

Include .sig files in checksums regeneration
Attest Darwin archives after notarization
Detect GPG program before login handling
Add checkout step for verifying notarization
Consistent errors on identity add with missing/unreadable vaults
identity add should always prompt on multiple options
Uniform error messages in strict mode
Secrets are typed without echoing to terminal

Other

Add Claude Code Security Review workflow
Add Claude Code GitHub workflow
Sandbox helper for GPG e2e testing
Update dependencies (golang.org/x/term, golang.org/x/sys, actions/checkout)

v0.3.3

January 4, 2026

Bug Fixes

Release automation fixes

v0.3.2

January 4, 2026

Features

Add init config flags
Add GitHub Action support for init config with flags

Other

Update tagline
Suggest correct namespace separator if invalid one provided
Allow releases to trigger website redeploys

v0.3.1

January 3, 2026

Features

Secret keys now support dots (.)

Other

E2E test runs no longer pollute user’s home directory
Only offer vaults that exist for prompt selection
Trigger website update on release

v0.3.0

January 2, 2026

Features

FIPS 140-3 compliance via crypto/fips140
Additional secret subcommands: store, forget
Configurable GPG program path

Other

Update dependencies (peter-evans/repository-dispatch, mlugg/setup-zig, actions/attest-build-provenance, actions/setup-go)
Add renovate.json for automated dependency updates

v0.2.1

December 31, 2025

Features

Configurable GPG program
Fail if GPG not found on init

Bug Fixes

Fix gpg_program logic

Other

Improve command error handling
Command suggestions for identity/vault check and login
Pre-commit hooks and CI improvements
Started working on Windows arm64/amd64 support

v0.2.0

December 27, 2025

Features

Use FIPS 140-3 validated boringcrypto for Linux builds
Default to FIPS 186-5 compliant algorithms and AES-256-GCM/AEAD encryption (RFC 9580)

Bug Fixes

Fix arm/amd compilation with CGO
Migrate away from deprecated mise ubi backend

v0.1.0

December 25, 2025

Features

Define namespace::secret naming convention

Other

Expanded FAQ and shell plugin references
Improved identity error messages

v0.0.11

January 12, 2026

Bug Fixes

Attest Darwin archives after notarization
Detect GPG program before login handling

v0.0.10

January 12, 2026

Bug Fixes

Add checkout step for verifying notarization

v0.0.9

January 12, 2026

Features

Add macOS notarization for Darwin builds
Add identity create command and signed login proof
Simplify vault subcommands and add doctor health checks
Refactor strict mode option and simplify commands
Support multiple vault versions
Additional secret subcommands: store, forget
Init config flags
Secret keys support dots
FIPS 140-3 via crypto/fips140
Configurable GPG program path
FIPS 186-5 compliant algorithms and AES-256-GCM/AEAD encryption

Bug Fixes

Consistent errors on identity add with missing/unreadable vaults
Identity add prompts on multiple options
Uniform error messages in strict mode
Secrets typed without echoing to terminal
Release automation fixes
Arm/amd compilation with CGO

Other

Claude Code Security Review and GitHub workflows
Sandbox helper for GPG e2e testing
Dependency updates
Pre-commit hooks and test improvements

v0.0.8

December 22, 2025

Other

Remove initial macOS call from tests

v0.0.7

December 22, 2025

Bug Fixes

Fix macOS quarantine prompt

Other

Cache artifacts in tests

v0.0.6

December 22, 2025

Bug Fixes

Homebrew man pages are correctly included

v0.0.5

December 22, 2025

Bug Fixes

Fix GitHub Action GPG signature verification

v0.0.4

December 22, 2025

Features

Generate SBOMs and trigger e2e tests after release

v0.0.3

December 22, 2025

Features

Trigger e2e tests after release

Bug Fixes

Fix SBOM generation
Fix GitHub Action build-from-source

v0.0.2

December 21, 2025

Features

Add GitHub Action

Other

Fix release tag format

v0.0.1

December 20, 2025

Initial release.

Features

Core secret management CLI
GPG-based encryption at rest
Vault format for organizing secrets
Identity management commands
Shell integration support