macOS
brew install varlocklocal Homebrew formula metadata
brew
Add declarative schema to .env files using @env-spec decorator comments. Version 1.10.0 via Homebrew; verified 2026-07-08.
install
brew install varlocklocal Homebrew formula metadata
overview
Add declarative schema to .env files using @env-spec decorator comments
history
Varlock is a young configuration and secrets tool for `.env`-based workflows. Its project tagline frames the tool around AI-safe `.env` files: schemas are safe for agents and collaborators to read, while actual secrets are resolved separately.
The project is built on `@env-spec`, a DSL that extends normal `.env` syntax with JSDoc-style decorator comments and function-call values. The initial `@env-spec` RFC was proposed on May 13, 2025 by maintainers Phil Millman and Theo Ephraim, describing the goal of richer validation, type coercion, sensitive-value handling, and dynamic loading while keeping the familiar `.env` format.
Varlock targets the pain point left by `.env.example`: example files are safe to commit but often drift from real runtime requirements. Varlock instead promotes a committed `.env.schema` as a single source of truth, with local or environment-specific `.env.*` files supplying values.
Typical usage starts with `varlock init`, which scans existing `.env` files and creates a root `.env.schema`. Users then run `varlock load` to validate and inspect resolved environment variables or `varlock run -- <command>` to execute a process with resolved values. The tool also ships as a standalone binary, Docker image, editor support, and plugins for secret backends such as 1Password, AWS, Azure, Google Secret Manager, HashiCorp Vault, and others.
For package users, Varlock is notable as an attempt to standardize metadata around environment variables without forcing a new YAML, JSON, or TypeScript schema file. It is especially tuned for modern AI-assisted development, where agents need configuration context but should not be handed plaintext secrets.
security posture
No matching local secret-handling manifest was found for varlock. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
.env.schemaCredential-bearing paths to review before unattended agent runs.
.env.local.env.*executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
varlock | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
install metadata
| Package key | brew:varlock |
|---|---|
| Version | 1.10.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/varlock |
| Homepage | https://varlock.dev |
| Repository | https://github.com/dmno-dev/varlock |
| Upstream docs | https://varlock.dev/getting-started/introduction |
| License | MIT |
| Source archive | https://registry.npmjs.org/varlock/-/varlock-1.10.0.tgz |
| Last updated | 2026-07-08T03:17:01Z |
| Pulse | updated |
| Dependencies | node |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | varlock |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.