redenv/Changelog
What's New

Changelog

All the latest updates, improvements, and fixes across the Redenv ecosystem.

38 releases
Last updated February 4, 2026
JS SDKv1.2.1
Changed
  • init() now returns Secrets: Previously returned void. Now returns the Secrets object.
Python SDKv0.4.1
Changed
  • init() now returns Secrets: Previously returned None. Now returns the Secrets object.
CLIv1.8.0
Fixed
  • Import New Project: The "New Project" option in import command now properly creates project metadata (PEK, salt, etc.) instead of failing with "project not found".
Changed
  • Extracted project creation logic into shared createProject() function for better code reuse.
  • Simplified register command to use the shared project creation utility.
CLIv1.7.0
Changed
  • Config writer now updates TS/JS files in-place via targeted field replacement, preserving plugins and imports.
  • Dropped JSON config file support.
Removed
  • switch project command.
CLIv1.6.0
Changed
  • Updated @redenv/core to v1.2.0 to include include improved atomic writng logic.
  • add command now forces interactive mode when inline value contains ${...} references.
  • edit command is now fully interactive — removed inline [value] argument.
Corev1.2.0
Changed
  • Atomic Secret Updates: Refactored writeSecret to use a Lua script for atomic "read-modify-write" operations in Redis. This prevents race conditions and data loss during concurrent secret updates.
  • Cluster-Safe Architecture: Optimized the update flow to be Redis Cluster compatible by separating metadata retrieval from the atomic write operation, avoiding CROSSSLOT errors.
JS SDKv1.2.0
Changed
  • Updated @redenv/core to v1.2.0 to include improved atomic writng logic
Python SDKv0.4.0
Changed
  • Atomic Secret Updates: Refactored client.set() (async and sync) to use a Lua script for atomic "read-modify-write" operations in Redis. This prevents race conditions and data loss during concurrent secret updates.
  • Cluster-Safe Architecture: Optimized the update flow to be Redis Cluster compatible by separating metadata retrieval from the atomic write operation, avoiding CROSSSLOT errors.
CLIv1.5.1
Changed
  • Updated @redenv/core to v1.1.1 to include improved secret expansion and escaping logic.
CLIv1.5.0
Added
  • Secret Referencing: Full support for ${VAR_NAME} syntax in secret values. References are recursively resolved in list, view, and export commands.
  • Improved UI: Introduced a clean, tree-style output format for list and view commands to better display multi-line values and expansion details.
  • Reference Validation: The add and edit commands now interactively validate referenced keys and warn if they don't exist.
  • Command Arguments: The add and edit commands now accept an optional [value] argument for quicker, non-interactive secret updates.
  • Smart Edit: The edit command now pre-populates the prompt with the current secret value for easier modification.
  • Raw Export: Added --raw flag to redenv export to skip variable expansion.
Corev1.1.1
Changed
  • Improved Secret Expansion: Refactored expandSecrets logic to robustly handle complex backslash escaping (even/odd backslash patterns) and recursive resolution.
Corev1.1.0
Added
  • Secret Expansion: Added expandSecrets utility to recursively resolve ${VAR_NAME} references within secret values, including cycle detection and escaping support.
JS SDKv1.1.0
Added
  • Secrets Class Wrapper: Replaced the plain Record<string, string> return type of .load() with a specialized Secrets class.
  • Feature Parity with Python SDK: Secret Expansion: Automatic resolution of ${VAR_NAME} references within secrets. Smart Casting: New .get(key) method returning a wrapper with .toInt(), .toBool(), .toJSON(), and .toString() helpers. Scoping: .scope(prefix) method to create a view of secrets with a specific prefix stripped. Validation: .require(...keys) method for fail-fast checks of mandatory secrets. Raw Access: .raw property to access original values before expansion. Automatic Masking: Sensitive values are now automatically masked (********) when using console.log(secrets), secrets.toString(), or JSON.stringify(secrets). Time Travel: Added .getVersion(key, version) to fetch historical secrets. Supports absolute version IDs and relative indexing (e.g., -1 for oldest). Environment Override: Added env.override option (default: true) to control whether process.env (or Deno.env) is overwritten.
  • Unmasked Access: Added secrets.toObject() to retrieve the plain, unmasked secrets object when needed for debugging or specific integrations.
Python SDKv0.3.0
Added
  • Secret Expansion: Support for ${VAR_NAME} syntax for referencing other secrets within values.
  • Raw Value Access: Added .raw property to Secrets object to access unexpanded values.
  • Recursive Resolution: Variable expansion supports multi-level recursion with circular dependency detection.
Changed
  • Safe Access: Accessing a non-existent secret via secrets["KEY"] now returns None instead of raising a KeyError.
  • Improved Scoping: secrets.scope() now correctly preserves both expanded and raw values in the resulting subset.
Python SDKv0.2.0
Added
  • Synchronous Client: Added RedenvSync for blocking contexts (scripts, legacy apps).
  • Write Support: Implemented client.set(key, value) with full version history management.
  • Smart Secrets Object: secrets.get(key, cast=int): Auto-convert types. secrets.scope("PREFIX_"): Create namespaced configuration subsets. secrets.require("KEY"): Fail-fast validation for missing keys.
  • Time Travel: Added client.get_version(key, v) to fetch historical secrets. Supports both absolute IDs and relative indexing (0=Latest, 1=Previous).
  • Security Hardening: Secrets object now masks values (********) in logs/print statements to prevent accidental leakage.
  • Override Protection: Added env.override option to prevent overwriting existing environment variables.
Python SDKv0.1.0
Added
  • Initial Release: First public beta release of the redenv Python SDK.
  • Zero-Knowledge Security: All cryptographic operations (AES-256-GCM, PBKDF2) are performed locally.
  • Async Support: Built on asyncio and upstash-redis for high-performance non-blocking operations.
  • SWR Caching: Implemented a robust Stale-While-Revalidate caching strategy using cachetools.LRUCache.
  • Environment Injection: Automatically populates os.environ with decrypted secrets on load().
CLIv1.4.2
Added
  • Token Auditing: The token create command now captures and stores the creator's identity (email or system username) in the createdBy field for better auditing.
CLIv1.4.1
Added
  • Plugin API Enhancements: Enhanced getEphemeralToken to return expiresAt date.
Corev1.0.5
Added
  • Plugin API Enhancements: enhanced getEphemeralToken to return expiresAt date.
CLIv1.4.0
Added
  • Plugin Context Enhancements: The plugin context (PluginContext) now provides redisUrl and redisToken for direct access to the configured Upstash Redis credentials.
  • Ephemeral Token Support: Introduced getEphemeralToken() in the PluginContext, allowing plugins to securely obtain temporary, session-scoped Service Tokens for accessing project secrets. These tokens are automatically cleaned up on CLI exit.
Corev1.0.4
Added
  • Plugin API Enhancements: PluginContext now includes redisUrl and redisToken for direct access to Redis connection details. PluginContext now provides getEphemeralToken() to allow plugins to securely obtain temporary, session-scoped Service Tokens.
JS SDKv1.0.7
Added
  • Added support for ephemeral tokens for plugins.
CLIv1.3.0
Added
  • Plugin Architecture: Introduced a robust plugin system allowing users to extend CLI functionality. Plugins can now be defined in redenv.config.js or redenv.config.ts and are dynamically loaded at runtime.
  • Enhanced Configuration: Added support for JavaScript/TypeScript configuration files (.js, .ts, .cjs, .mjs), enabling dynamic configuration and plugin integration.
Changed
  • Configuration Strategy: Shifted the primary configuration format from static JSON to dynamic JavaScript/TypeScript files. While redenv.config.json remains supported for backward compatibility, new projects are encouraged to use the script-based formats for greater flexibility.
Corev1.0.3
Added
  • Added createPlugin function for plugin creation.
Corev1.0.2
Added
  • Added Helper functions for configuration loading and plugin validation.
CLIv1.2.0
Added
  • sync Command: Introduced a new redenv sync command to interactively synchronize variables between any two environments. This powerful command allows for adding, updating, and removing keys to ensure two environments are perfectly aligned.
Changed
  • Simplified Configuration: The productionEnvironment field in redenv.config.json has been deprecated and removed. Commands like sync now prompt for a destination environment directly, making the workflow more flexible and explicit.
Removed
  • promote Command: The promote command has been removed and replaced by the more powerful and intuitive sync command.
JS SDKv1.0.6
Fixed
  • Fixed package.json dependencies.
CLIv1.1.4
Added
  • Interactive Shell: Introduced a new redenv shell command that launches a dedicated interactive REPL for a project environment. This provides a persistent session for running multiple commands without repeatedly entering the Master Password. The shell supports context switching, command history, and access to most Redenv commands.
Changed
  • Major Internal Refactoring for Shell Compatibility: Refactored the internal command structure to support the new interactive shell. Commands now operate in a "shell-aware" mode, allowing for seamless context switching (e.g., switch env) and more robust error handling within a REPL environment.
CLIv1.1.3
Changed
  • Removed the value argument from the add commands. Now it prompts for the value interactively for multiline values.
CLIv1.1.2
Changed
  • token command now uses randomBytes function's base64 encoding to generate random strings.
Corev1.0.1
Changed
  • enhanced randomBytes function to support custom encodings.
JS SDKv1.0.5
Added
  • Introduced a dedicated entry point for core utility functions: @redenv/client/utils. These functions (e.g., fetchAndDecrypt, setSecret) are now accessible for advanced use cases and building framework-specific clients.
Changed
  • Back to 1.0.1 for the latest stable release.
JS SDKv1.0.1
Changed
  • load() now returns a Record<string, string> instead of get() and getAll(). so from now on use load() to get secrets.
CLIv1.1.1
Changed
  • Moved the crypto logic to the @redenv/core package.
Corev1.0.0
Added
  • Initial Release: First public version of @redenv/core.
  • Cryptographic Primitives: encrypt: Encrypts data using AES-256-GCM. decrypt: Decrypts data using AES-256-GCM. deriveKey: Derives an encryption key from a password using scrypt. generateSalt: Generates a cryptographically secure random salt.
  • Secret Writing Utility: writeSecret: Provides a shared utility for performing the "read-modify-write" cycle for updating a secret's version history in Redis.
JS SDKv1.0.0
Added
  • Initial Release: First public release of the @redenv/client.
  • Zero-Knowledge Architecture: Implemented a secure client that performs all cryptographic operations locally, ensuring secrets are never exposed to the backend or any intermediaries.
  • High-Performance Caching: Integrated an in-memory stale-while-revalidate caching strategy using cachified to ensure fast and resilient secret retrieval with minimal impact on application performance.
  • Dual Access Patterns: Programmatic Access: Provides .load() which returns a get() and getAll() accessor for type-safe, explicit secret management. Environment Population: Supports populating process.env for easy integration with legacy applications.
  • Write-Back Functionality: Includes a .set(key, value) method to allow applications with sufficient permissions to add or update secrets dynamically.
  • Configuration: The client is configurable via constructor options, including project details, environment, and cache settings (ttl, swr).
CLIv1.1.0
Changed
  • BREAKING: The core crypto engine has been completely refactored from the Node.js-specific crypto module (using scrypt) to the universal Web Crypto API (using PBKDF2). This makes the entire system compatible with all modern JavaScript runtimes, including serverless and edge environments.
  • All commands have been updated to work with the new asynchronous cryptographic functions.
Fixed
  • Resolved a critical TypeScript type conflict between Node.js's webcrypto.CryptoKey and the global CryptoKey type, ensuring type safety across the project.
CLIv1.0.0
Added
  • End-to-End Encryption: Implemented a full zero-knowledge, end-to-end encryption model using a per-project Master Password system. All secrets are encrypted/decrypted locally and are never stored in plaintext.
  • Per-Secret Version History: Every change to a secret is now stored in a versioned history, providing a complete audit trail with user and timestamp information.
  • Core Commands: Full suite of commands for secret management: add, edit, view, list, remove.
  • Project Management Commands: Commands for project lifecycle: register, drop, switch.
  • Advanced Workflow Commands: Powerful commands for team and CI/CD workflows: import, export, clone, diff, promote.
  • History & Rollback Commands: history view [key]: View the complete version history of a secret. history limit [value]: Configure the number of versions to keep per secret. rollback <key>: Instantly revert a secret to a previous version.
  • Security & Safety Commands: change-password: Securely rotate a project's Master Password. backup & restore: Create and restore fully encrypted backups of your projects. doctor: A diagnostic tool to check your configuration and connectivity.
  • Application Access Management: token command suite (create, list, revoke) to manage secure, Service Tokens for applications.
  • Secure Password Caching: Implemented an optional, secure caching of unlocked project keys into the native OS keychain (keytar) for a seamless, password-less workflow during a session.
  • Unit Testing Foundation: Introduced vitest and created a foundational test suite for the critical crypto and utility modules.
  • Comprehensive Documentation: Created a detailed architectural README.md for the project root and a practical quick-start guide for the CLI package.
Changed
  • Improved register Command: The register command is now idempotent and intelligently checks for remotely existing projects to prevent accidental overwrites, allowing it to also function as a "connect to existing project" command.
  • Data Model: Migrated secret storage from a simple key-value model to a versioned JSON structure to support auditing and rollbacks.
  • Refactored Write Logic: Centralized all secret-writing logic into a single writeSecret utility to improve maintainability and consistency.
Fixed
  • UI Stability: Resolved multiple bugs where ora spinner animations would conflict with inquirer prompts, causing display loops and crashes.
  • Cryptography: Fixed a critical bug in the decrypt function's error handling that was masking specific error types.
  • System Compatibility: Tuned scrypt memory parameters to ensure compatibility with different environments, including the bun runtime.
  • Security: Fixed a security flaw where the change-password command could incorrectly use a cached keychain entry instead of requiring re-authentication.
  • Data Parsing: Corrected a recurring JSON.parse error in multiple commands by properly handling the auto-parsing behavior of the @upstash/redis client.
The beginning