Add devsecrets run to launch commands with secrets injected#5
Draft
peterkracik wants to merge 2 commits into
Draft
Add devsecrets run to launch commands with secrets injected#5peterkracik wants to merge 2 commits into
devsecrets run to launch commands with secrets injected#5peterkracik wants to merge 2 commits into
Conversation
Adds a `run` subcommand (alias `exec`) that executes a command with an environment's secrets injected as real environment variables, layered on top of the inherited environment. This is the most direct way to "source" secrets — the child process sees them without a `.env` file or manual eval. - Resolves project/env from flags or the folder assignment, mirroring export. - References are resolved unless `--raw`. - Propagates the command's exit code. - Factors the shared project/env resolution out of `export` into a helper. - Integration tests cover injection, the `exec` alias, `--raw`, and exit-code propagation; README documents the new command. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01C3zFWGBSgR1BBt8sVGXsEd
A child process can't change its parent shell's environment, so loading
secrets into your *current* shell must be done by the shell via eval.
`shellenv` prints a hardened `dsenv` function for ~/.bashrc / ~/.zshrc:
eval "$(devsecrets shellenv)"
dsenv -p api -e dev # secrets now in the current shell, no prefix
The function captures `export --format shell` into a variable and only
eval's it on success, so a failed export never wipes the shell. Also lets
`run`/`exec` open an interactive subshell when given no command, as an
alternative no-prefix workflow. Integration tests drive a real shell to
verify dsenv loads values into the current shell, plus the subshell path.
README documents both, with `dsenv` as the recommended approach.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01C3zFWGBSgR1BBt8sVGXsEd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
runsubcommand (aliasexec) that automatically sources an environment's secrets into a command's environment. The secrets are injected as real environment variables (layered on top of the inherited environment), so the launched program "just sees" them — no.envfile on disk and no manualeval.This is the most direct way to load secrets for a single process: the variables exist only for the launched command and disappear when it exits.
What's included
run/execsubcommand (src/cli.rs):-p/--project,-e/--env,--raw, and a trailing<command>...(use--to separate the command's own flags).src/commands.rs): resolves project/env from flags or the folder assignment (same logic asexport), resolves${...}references unless--raw, spawns the command with the secrets viaCommand::envs, and propagates the child's exit code.exportinto aresolve_env_valueshelper, now reused by bothexportandrun.tests/cli.rs): cover secret injection into the child env, theexecalias,--raw(references kept literal), and exit-code propagation.README.md): new features bullet, a "Run a command with secrets" CLI section, and a "Run a command directly" entry under loading secrets into your shell.Verification
cargo fmt --all --check✓cargo clippy --all-targets -- -D warnings✓cargo test --all --locked✓ (all unit + integration tests pass, including the two newrun_*tests)🤖 Generated with Claude Code
Generated by Claude Code