xenvsync
Development Roadmap

What's next. What we've built.

V2 transforms xenvsync from a single-user tool into a zero-trust secrets manager for teams and automated pipelines.

5 planned
V2 Phases
7 / 7
V1 Phases
38+
Tests

V2 — Collaboration & Scale

Planned

The next evolution — asymmetric cryptography, multi-environment support, CI/CD integrations, and an extensible plugin system.

Phase 8: Multi-Environment Mastery

Manage staging, production, and local environments with a single tool.

  • Targeted push/pull with --env flag
  • Environment fallbacks (.env.shared < .env.staging < .env.local)
  • Smart run injection with XENVSYNC_ENV auto-detect
  • xenvsync envs command to list all environments

Phase 9: Asymmetric Cryptography

Zero-trust key sharing for teams — no more passing symmetric keys around.

  • X25519 keypair generation (xenvsync keygen)
  • Team roster management (add/remove/list public keys)
  • Multi-key vault encryption (per-member key slots)
  • Backward-compatible vault format versioning

Phase 10: CI/CD & DevOps Integrations

First-class support for automated pipelines and containers.

  • Official GitHub Action (nasimstg/xenvsync-action@v1)
  • Docker integration (Alpine image, entrypoint best practices)
  • Format exporting (JSON, YAML, shell, tfvars) — stdout only
  • CI templates for GitLab, CircleCI, Bitbucket Pipelines

Phase 11: Hardening & Auditing

Enterprise-grade rotation, audit trails, and integrity verification.

  • Secret rotation (xenvsync rotate) with team re-encryption
  • Audit logging (xenvsync log — Git-backed change history)
  • Integrity verification without decryption (xenvsync verify)
  • Memory zeroing, passphrase protection, xenvsync doctor

Phase 12: Ecosystem & Community

Extensibility, package managers, and developer ergonomics.

  • Shell completions (bash/zsh/fish/powershell)
  • Plugin system for custom vault backends
  • Documentation site with migration guides
  • Homebrew tap, Scoop bucket, AUR, Nix flake

Want to help shape V2?

We welcome contributions, feature requests, and feedback. Check out our open issues or start a discussion.

Open an IssueGet Started

V1 — Secure Single-User Sync

Complete

Phase 1: Scaffolding & CLI

  • Go module with Cobra CLI framework
  • Command routing (init, push, pull, run, diff, status)
  • Structured error handling via RunE

Phase 2: Cryptography Engine

  • 32-byte key generation via crypto/rand
  • AES-256-GCM encrypt/decrypt with random nonce
  • Key file permissions enforced at 0600

Phase 3: File I/O & Parsing

  • .env parser (quotes, multiline, comments, export prefix)
  • Vault format (header/base64/footer, 76-char wrapping)
  • .gitignore auto-manipulation

Phase 4: Process Execution

  • In-memory decryption (plaintext never on disk)
  • Cross-platform child process spawning
  • Signal forwarding (SIGINT/SIGTERM) and exit code propagation

Phase 5: Testing

  • Crypto unit tests (round-trip, bad key, tampered ciphertext)
  • Parser unit tests (edge cases, multiline, round-trip)
  • Vault format tests (encode/decode, CRLF, malformed input)
  • CLI integration tests (init, push, pull end-to-end)

Phase 6: Hardening & UX

  • Multiline variable support
  • --force flag for key regeneration
  • diff and status commands
  • Key permission validation on load

Phase 7: Packaging & Distribution

  • GoReleaser for cross-platform builds
  • GitHub Actions CI (test matrix, lint, release)
  • Installation documentation