envilder
Version:
A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth
168 lines (128 loc) • 7.16 kB
Markdown
## [0.5.0] - 2026-06-26
### Added
* **New `ExpiredCredentialsException`**: Thrown by the AWS SSM provider
on expired or invalid credentials (e.g. an expired session token), with
an actionable message guiding you to refresh credentials (e.g. run
`aws sso login`)
* **New `SsoSessionExpiredException`**: Thrown by the AWS SSM provider
when an AWS SSO session can no longer be resolved, exposing the AWS
profile via `ProfileName` and an actionable message that names the
`aws sso login --profile <name>` command to run. A plain expired
session token still throws `ExpiredCredentialsException`
([#377](https://github.com/macalbert/envilder/issues/377))
---
## [0.4.0] - 2026-05-18
### Changed
* **BREAKING: Root namespace for public API**: All consumer-facing types
moved from `Envilder.Application` / `Envilder.Domain` to the root
`Envilder` namespace. Consumers now only need `using Envilder;`
* **BREAKING: Facade class renamed to `Env`**: The static facade class
is now `Env` instead of `Envilder` to avoid namespace/class name collision.
Use `Env.Load(...)`, `Env.ResolveFile(...)`, `Env.FromMapFile(...)` etc.
* **Extension methods follow .NET conventions**:
`AddEnvilder()` for `IConfigurationBuilder` moved to
`Microsoft.Extensions.Configuration` namespace;
`AddEnvilder()` for `IServiceCollection` moved to
`Microsoft.Extensions.DependencyInjection` namespace.
Both are now discoverable without any Envilder-specific using directives
### Migration
Replace:
```csharp
using Envilder.Application;
using Envilder.Domain;
using Envilder.Infrastructure.Configuration;
using Envilder.Infrastructure.DependencyInjection;
```
With:
```csharp
using Envilder;
```
Replace facade calls:
```csharp
// Before
Envilder.Load("envilder.json");
Envilder.FromMapFile("envilder.json").Inject();
// After
Env.Load("envilder.json");
Env.FromMapFile("envilder.json").Inject();
```
`AddEnvilder()` extension methods now live in `Microsoft.Extensions.Configuration`
and `Microsoft.Extensions.DependencyInjection`: no Envilder-specific import needed.
ASP.NET projects already include these namespaces via global usings; console apps
may need to add them explicitly.
---
## [0.3.0] - 2026-05-03
### Added
* **Map-file JSON Schema support**: Map files can now include
`"$schema": "https://envilder.com/schema/map-file.v1.json"` for IDE
autocomplete and validation without affecting secret resolution
### Fixed
* **Reserved key filtering**: All `$`-prefixed keys are now excluded from
variable mappings. Previously only `$config` was filtered
([#218](https://github.com/macalbert/envilder/pull/218))
---
## [0.2.0] - 2026-04-18
### Added
* **Static facade**: `Envilder` class with one-liner API for resolving and injecting secrets
* `ResolveFile(path)` / `ResolveFileAsync(path)`: Resolve secrets from a map file
* `Load(path)` / `LoadAsync(path)`: Resolve and inject secrets into `Environment`
* `ResolveFile(env, mapping)` / `Load(env, mapping)`: Environment-routed overloads
* `FromMapFile(path)`: Fluent builder with `.WithProvider()`, `.WithProfile()`, `.WithVaultUrl()`
* `EnvilderBuilder.Resolve()` / `ResolveAsync()` / `Inject()` / `InjectAsync()`: Fluent terminal methods
* `ISecretProvider.GetSecret(name)`: Synchronous secret retrieval (new interface method)
* `AwsSsmSecretProvider.GetSecret(name)`: Sync AWS SSM implementation
* `AzureKeyVaultSecretProvider.GetSecret(name)`: Sync Azure Key Vault implementation
* `EnvilderClient.ResolveSecrets(mapFile)`: Sync secret resolution
### Changed
* **Simplify `AddEnvilder` extensions**: `IConfigurationBuilder.AddEnvilder()` and
`IServiceCollection.AddEnvilder()` now accept `(string mapFilePath, EnvilderOptions? options)`
instead of requiring a manually-created `ISecretProvider`
([#167](https://github.com/macalbert/envilder/pull/167))
* **Cross-provider validation**: `SecretProviderFactory` now rejects invalid combinations:
AWS profile with Azure provider, or Vault URL with AWS provider
([#167](https://github.com/macalbert/envilder/pull/167))
### Breaking
* `SecretProviderFactory` is now `internal`: External code that referenced this type
directly will no longer compile. Use the `Envilder` facade, `EnvilderBuilder`
(`Envilder.FromMapFile(...)`), or the `AddEnvilder(string, EnvilderOptions?)` extensions instead
([#167](https://github.com/macalbert/envilder/pull/167))
* `ISecretProvider.GetSecret(string name)`: New required interface method. External
implementations of `ISecretProvider` must add a synchronous `GetSecret` method
(return `null` for missing secrets, matching the `GetSecretAsync` contract)
* `ServiceCollectionExtensions.AddEnvilder(string, ISecretProvider)` signature removed. Use
`AddEnvilder(string, EnvilderOptions?)` instead
* `ConfigurationBuilderExtensions.AddEnvilder(string, ISecretProvider)` signature removed. Use
`AddEnvilder(string, EnvilderOptions?)` instead
### Fixed
* **Delegate default AWS region resolution to the AWS SDK**: When no profile is set, the
factory no longer manually resolves the region via `ResolveRegion()`. Instead it creates a
plain `AmazonSimpleSystemsManagementClient()` which uses the full AWS SDK resolution chain
(env vars → `~/.aws/config` → instance metadata), correctly picking up the default config
file settings
([#166](https://github.com/macalbert/envilder/pull/166))
* **Respect `AWS_SHARED_CREDENTIALS_FILE` for profile resolution**: `CredentialProfileStoreChain`
now receives the credentials file path from the `AWS_SHARED_CREDENTIALS_FILE` environment
variable, fixing profile discovery when credentials are stored at non-default locations
([#166](https://github.com/macalbert/envilder/pull/166))
### Testing
* Unit tests for facade validation, env routing, and fluent builder chaining
* Acceptance tests for `ResolveFile` and `Load` against LocalStack
* Sync `GetSecret` tests for AWS SSM and Azure Key Vault providers
* Sync `ResolveSecrets` test for `EnvilderClient`
## [0.1.0] - 2026-04-09
### Added
* **Initial release**: Runtime library for loading secrets from AWS SSM Parameter Store or Azure Key Vault
directly into .NET applications ([#147](https://github.com/macalbert/envilder/pull/147))
* `EnvilderClient`: Resolves secrets from a map-file and returns them as a dictionary
* `MapFileParser`: Parses `envilder.json` files with `$config` section and variable mappings
* `SecretProviderFactory`: Creates the appropriate secret provider based on configuration
* `AwsSsmSecretProvider`: Fetches secrets from AWS SSM Parameter Store
* `AzureKeyVaultSecretProvider`: Fetches secrets from Azure Key Vault
* `IConfiguration` extensions: Load secrets directly into .NET configuration
* `IServiceCollection` extensions: Register Envilder in the DI container
* `EnvilderOptions`: Runtime overrides for provider, vault URL, and AWS profile
* Targets .NET Standard 2.0 (compatible with .NET 6+, .NET Framework 4.6.1+)
* Published to NuGet as `Envilder`
### Testing
* Unit tests with xUnit, NSubstitute, AwesomeAssertions, and AutoFixture
* Acceptance tests with TestContainers (LocalStack for AWS, Lowkey Vault for Azure)