Automic VaultAutomic Vault

brew

Install varlock with Homebrew

Add declarative schema to .env files using @env-spec decorator comments. Version 1.10.0 via Homebrew; verified 2026-07-08.

install

Additional install commands

macOS

Homebrewverified ยท 100%
brew install varlock

local Homebrew formula metadata

overview

Package summary

Add declarative schema to .env files using @env-spec decorator comments

Commands and aliases

  • varlock

history

Project history and usage

Varlock is a young configuration and secrets tool for `.env`-based workflows. Its project tagline frames the tool around AI-safe `.env` files: schemas are safe for agents and collaborators to read, while actual secrets are resolved separately.

Project history

The project is built on `@env-spec`, a DSL that extends normal `.env` syntax with JSDoc-style decorator comments and function-call values. The initial `@env-spec` RFC was proposed on May 13, 2025 by maintainers Phil Millman and Theo Ephraim, describing the goal of richer validation, type coercion, sensitive-value handling, and dynamic loading while keeping the familiar `.env` format.

Adoption history

Varlock targets the pain point left by `.env.example`: example files are safe to commit but often drift from real runtime requirements. Varlock instead promotes a committed `.env.schema` as a single source of truth, with local or environment-specific `.env.*` files supplying values.

How it is used

Typical usage starts with `varlock init`, which scans existing `.env` files and creates a root `.env.schema`. Users then run `varlock load` to validate and inspect resolved environment variables or `varlock run -- <command>` to execute a process with resolved values. The tool also ships as a standalone binary, Docker image, editor support, and plugins for secret backends such as 1Password, AWS, Azure, Google Secret Manager, HashiCorp Vault, and others.

Why package nerds care

For package users, Varlock is notable as an attempt to standardize metadata around environment variables without forcing a new YAML, JSON, or TypeScript schema file. It is especially tuned for modern AI-assisted development, where agents need configuration context but should not be handed plaintext secrets.

Timeline

  • 2025-05-13: Initial `@env-spec` RFC proposed.
  • 2026: Repository documents Varlock as a CLI, Docker image, VS Code extension ecosystem, and plugin host for multiple secret backends.

Related projects

  • DMNO is cited by the maintainers as the predecessor whose lessons informed Varlock.
  • `@env-spec` is the underlying specification and parser family used by Varlock.

Sources

  • Initial @env-spec RFC: https://github.com/dmno-dev/varlock/discussions/17
  • Official @env-spec overview: https://varlock.dev/env-spec/overview/
  • Official GitHub repository: https://github.com/dmno-dev/varlock
  • Official installation guide: https://varlock.dev/getting-started/installation/

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for varlock. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
.env.schema

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
.env.local.env.*

executables

Installed executables

CommandKindExposureNote
varlockcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.10.0
manager updated2026-07-08
local dataok
upstreamnot checked
latest detectednot detected

https://varlock.dev

  • infoRelease/tag comparison is only available for GitHub repositories.https://varlock.devnone confidence

install metadata

Package metadata

Package keybrew:varlock
Version1.10.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/varlock
Homepagehttps://varlock.dev
Repositoryhttps://github.com/dmno-dev/varlock
Upstream docshttps://varlock.dev/getting-started/introduction
LicenseMIT
Source archivehttps://registry.npmjs.org/varlock/-/varlock-1.10.0.tgz
Last updated2026-07-08T03:17:01Z
Pulseupdated
Dependenciesnode
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namevarlock
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment