Skip to content

Secrets / env-var management for Fabric-deployed applications #166

Description

@kriszyp

Today there is no supported mechanism to securely configure environment variables (API keys, secrets) for applications deployed to Harper Fabric via the CLI.

loadEnv: .env works locally, but Fabric deployments lack:

  • A UI or CLI mechanism to define environment variables
  • A secure secret store for runtime configuration
  • A way to inject environment variables at deploy time

Customer ask (ESS Request)

Originated from a customer; flagged as a Q2 2026 product roadmap item. From CORE-3024 discussion (bari):

Sub-asks identified:

  • CLI arguments for env vars at deploy time (so customers using harperdb deploy against a GitHub repo without secrets in source can supply them at deploy time).
  • Better template for the deployment workflow.
  • Studio UI for adding secrets (significantly larger; several weeks of focused dev).
  • A "write your .env" prompt in Studio that ends up calling set component with .env content.
  • Allow users to upload a .env file directly. (Note: through Fabric Connect, the secret transits Harper servers — recommend warning users / encouraging direct connect.)
  • Audit/logging policy for secret storage (separate security discussion).
  • Compose-level env vars (Q2 roadmap, separately tracked).
  • harper_ prefix directive for Harper-specific env vars to avoid customer conflicts.

Scope split

This umbrella issue tracks the engineering-side work in harper-pro / core:

  • Deploy-time env-var injection mechanism (CLI + Operations API).
  • Storage model for secrets at rest in Fabric (encrypted, audited).
  • harper_* directive parsing for Harper-internal env-vars.

Studio UI work belongs in HarperFast/studio. Cross-link when the UI ticket is filed.

Not Ready

Needs product/UX alignment on the secrets storage model (where do secrets live? how are they encrypted? what's the audit posture?) before engineering can scope concrete acceptance criteria. The discussion captured in the Jira ticket is a starting point.


Tracked in Jira: CORE-3024

🤖 Filed by Claude on behalf of Kris.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestfrom-jiraMigrated or originated from a Jira ticket

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions