xenvsync
Development Roadmap

Roadmap in motion. Major phases shipped.

From single-user encryption to zero-trust team secrets management, xenvsync continues to ship across a 12-phase roadmap.

12
Roadmap Themes
20+
Commands
140+
Tests

V2 — Collaboration & Scale

Complete

Asymmetric cryptography, multi-environment support, CI/CD integrations, hardening, and an extensible ecosystem — all shipped.

Phase 8: Multi-Environment Mastery

Manage staging, production, and local environments with a single tool.

  • Targeted push/pull with --env flag
  • Environment fallbacks (.env.shared < .env.staging < .env.local)
  • Smart run injection with XENVSYNC_ENV auto-detect
  • xenvsync envs command to list all environments

Phase 9: Asymmetric Cryptography

Zero-trust key sharing for teams — no more passing symmetric keys around.

  • X25519 keypair generation (xenvsync keygen)
  • Team roster management (add/remove/list public keys)
  • Multi-key vault encryption (per-member key slots)
  • Backward-compatible vault format versioning

Phase 10: CI/CD & DevOps Integrations

First-class support for automated pipelines and containers.

  • Official GitHub Action (nasimstg/xenvsync-action@v1)
  • Docker integration (Alpine image, entrypoint best practices)
  • Format exporting (JSON, YAML, shell, tfvars) — stdout only
  • CI templates for GitLab, CircleCI, Bitbucket Pipelines

Phase 11: Hardening & Auditing

Enterprise-grade rotation, audit trails, and integrity verification.

  • Secret rotation (xenvsync rotate) with team re-encryption
  • Audit logging (xenvsync log — Git-backed change history)
  • Integrity verification without decryption (xenvsync verify)
  • Memory zeroing, passphrase protection, xenvsync doctor

Phase 12: Ecosystem & Community

Extensibility, package managers, and developer ergonomics.

  • Shell completions (bash/zsh/fish/powershell)
  • Plugin system for custom vault backends
  • Documentation site with migration guides
  • Homebrew tap, Scoop bucket, AUR, Nix flake

What should we build next?

All 12 phases are shipped. We welcome contributions, feature requests, and feedback to shape what comes next.

Open an IssueGet Started

V1 — Secure Single-User Sync

Complete

Phase 1: Scaffolding & CLI

  • Go module with Cobra CLI framework
  • Command routing (init, push, pull, run, diff, status)
  • Structured error handling via RunE

Phase 2: Cryptography Engine

  • 32-byte key generation via crypto/rand
  • AES-256-GCM encrypt/decrypt with random nonce
  • Key file permissions enforced at 0600

Phase 3: File I/O & Parsing

  • .env parser (quotes, multiline, comments, export prefix)
  • Vault format (header/base64/footer, 76-char wrapping)
  • .gitignore auto-manipulation

Phase 4: Process Execution

  • In-memory decryption (plaintext never on disk)
  • Cross-platform child process spawning
  • Signal forwarding (SIGINT/SIGTERM) and exit code propagation

Phase 5: Testing

  • Crypto unit tests (round-trip, bad key, tampered ciphertext)
  • Parser unit tests (edge cases, multiline, round-trip)
  • Vault format tests (encode/decode, CRLF, malformed input)
  • CLI integration tests (init, push, pull end-to-end)

Phase 6: Hardening & UX

  • Multiline variable support
  • --force flag for key regeneration
  • diff and status commands
  • Key permission validation on load

Phase 7: Packaging & Distribution

  • GoReleaser for cross-platform builds
  • GitHub Actions CI (test matrix, lint, release)
  • Installation documentation