# Install varlock with Homebrew

Add declarative schema to .env files using @env-spec decorator comments. Version 1.10.0 via Homebrew; verified 2026-07-08.

## Install

```sh
sudo av install brew:varlock
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install varlock
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:varlock
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/varlock>
- **Version:** 1.10.0
- **Source summary:** Add declarative schema to .env files using @env-spec decorator comments
- **Homepage:** <https://varlock.dev>
- **Repository:** <https://github.com/dmno-dev/varlock>
- **Upstream docs:** <https://varlock.dev/getting-started/introduction>
- **License:** MIT
- **Source archive:** <https://registry.npmjs.org/varlock/-/varlock-1.10.0.tgz>
- **Last updated:** 2026-07-08T03:17:01Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- varlock (cli)
- varlock (alias)

## Dependencies

- node

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.10.0
- Package-manager updated: 2026-07-08
- Local data: ok
- Upstream repository: https://varlock.dev
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

Varlock is a young configuration and secrets tool for `.env`-based workflows. Its project tagline frames the tool around AI-safe `.env` files: schemas are safe for agents and collaborators to read, while actual secrets are resolved separately.

### Project history

The project is built on `@env-spec`, a DSL that extends normal `.env` syntax with JSDoc-style decorator comments and function-call values. The initial `@env-spec` RFC was proposed on May 13, 2025 by maintainers Phil Millman and Theo Ephraim, describing the goal of richer validation, type coercion, sensitive-value handling, and dynamic loading while keeping the familiar `.env` format.

### Adoption history

Varlock targets the pain point left by `.env.example`: example files are safe to commit but often drift from real runtime requirements. Varlock instead promotes a committed `.env.schema` as a single source of truth, with local or environment-specific `.env.*` files supplying values.

### How it is used

Typical usage starts with `varlock init`, which scans existing `.env` files and creates a root `.env.schema`. Users then run `varlock load` to validate and inspect resolved environment variables or `varlock run -- <command>` to execute a process with resolved values. The tool also ships as a standalone binary, Docker image, editor support, and plugins for secret backends such as 1Password, AWS, Azure, Google Secret Manager, HashiCorp Vault, and others.

### Why package nerds care

For package users, Varlock is notable as an attempt to standardize metadata around environment variables without forcing a new YAML, JSON, or TypeScript schema file. It is especially tuned for modern AI-assisted development, where agents need configuration context but should not be handed plaintext secrets.

### Timeline

- 2025-05-13: Initial `@env-spec` RFC proposed.
- 2026: Repository documents Varlock as a CLI, Docker image, VS Code extension ecosystem, and plugin host for multiple secret backends.

### Related projects

- DMNO is cited by the maintainers as the predecessor whose lessons informed Varlock.
- `@env-spec` is the underlying specification and parser family used by Varlock.

### Sources

- Initial @env-spec RFC: https://github.com/dmno-dev/varlock/discussions/17
- Official @env-spec overview: https://varlock.dev/env-spec/overview/
- Official GitHub repository: https://github.com/dmno-dev/varlock
- Official installation guide: https://varlock.dev/getting-started/installation/


## Security Notes

No matching local secret-handling manifest was found for varlock. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: .env.schema

## Credential files

- Unix: .env.local, .env.*
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** varlock
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [node](https://www.automicvault.com/pkg/brew/node/) - Runtime dependency declared by Homebrew.
- [doppler](https://www.automicvault.com/pkg/brew/doppler/) - Shares av.db curated category or tags: cli, configuration, environment-variables, secrets-management, security.
- [infisical](https://www.automicvault.com/pkg/brew/infisical/) - Shares av.db curated category or tags: cli, environment-variables, secrets-management, security.
- [secretspec](https://www.automicvault.com/pkg/brew/secretspec/) - Shares av.db curated category or tags: cli, configuration, secrets-management, security.
- [chamber](https://www.automicvault.com/pkg/brew/chamber/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [credstash](https://www.automicvault.com/pkg/brew/credstash/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [envchain](https://www.automicvault.com/pkg/brew/envchain/) - Shares av.db curated category or tags: cli, environment-variables, secrets-management, security.
- [openbao](https://www.automicvault.com/pkg/brew/openbao/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [sops](https://www.automicvault.com/pkg/brew/sops/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [varlock](https://www.automicvault.com/pkg/npm/varlock/) - Same normalized package name appears in another local ecosystem. Shared terms: env, environment, files, management, secrets.
- [varlock](https://www.automicvault.com/pkg/npm/varlock/) - Same normalized package name in another local ecosystem.

## Combined YAML source

View the package source record on GitHub. [combined/varlock.yml](https://github.com/automic-vault/db/blob/main/combined/varlock.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
