env-pull: Zero Disk Config CLI

1. The Problem

Every development team eventually suffers from the ".env Variable Shuffle". Developers constantly context-switch — leaving their IDE to open a browser, authenticate to a cloud console, and hunt for specific keys. They copy these raw credentials and paste them into unencrypted, plaintext .env.local files sitting completely exposed on their hard drives.

The downstream effects are catastrophic: developers forget to delete files after testing, leading to accidental commits to version control, exposed keys during screen shares, and massive security liabilities if a laptop is lost or stolen. The industry's current response is to force massive top-down adoption of heavy secrets managers, requiring organizations to migrate all their secrets into entirely new platforms, which creates immense friction and delayed adoption.

2. The Solution

I built env-pull as my first open-source project to solve this exact friction. env-pull is a Universal Secrets Adapter. Instead of acting as another centralized secrets manager, it functions as an invisible, temporary bridge. It securely fetches credentials from an enterprise's existing vaults and injects them directly into your application's memory during local development. The result is a fundamentally zero-disk (no plaintext files) and zero-config (utilizing your existing authentication context) local development experience.

3. Detailed Walkthrough

Under the Hood: Architecture & Injection Mechanics

To prioritize speed and maintain a developer's flow state, the CLI client is written entirely in Go. This allows it to compile as a statically linked binary with zero runtime dependencies and boot in under 50 milliseconds.

At scale, wrapping every process execution during hot-reloading would trigger massive API rate-limiting against upstream vaults. To bypass this bottleneck, env-pull leverages Process Tree Inheritance. It fetches secrets exactly once, spawns an entirely new sub-shell, and injects the secrets directly into that shell's memory. All subsequent development commands run inside that shell without making further network calls.

Executing the Workflow

A normal application attempting to boot without environment variables results in the plaintext crisis:

node index.js

=== Application Lifecycle Initialized ===
Database Access String :  [MISSING - Connection Failed]
Payment Gateway Token  :  [MISSING - Fallback Triggered]
=== Application Lifecycle Terminated ===

Handling Local Cryptographic Security

Not all configurations live in a shared corporate vault; developers frequently need personal overrides. Instead of falling back to insecure files, you can execute the env-edit flow:

env-pull edit

This command temporarily decrypts a secure file into your IDE's memory buffer. You paste your configurations using normal file-editing muscle memory. Upon saving and closing, the tool passes the data to a structural crypto module, aggressively overwrites the temporary buffer with zeros to prevent flash-storage forensic recovery, and outputs an AES-GCM encrypted .env.pull.enc file directly into your repository workspace.

Sub-process Injection

To load these encrypted secrets, you do not configure an SDK or alter your application code. You simply prefix your execution command:

env-pull run node index.js

The variables are injected securely, and the exact millisecond the child runtime context terminates, the secrets vanish. There are no dangling strings in your shell history and no unencrypted values resident on your computer's persistent storage.

Upstream Vault Integrations

For corporate secrets, env-pull hooks straight into existing local cryptographic sessions and native authentication protocols without duplicating configurations.

AWS Secrets Manager — Inherits your existing AWS CLI SSO session to pull infrastructure credentials directly into the runtime container.

env-pull run --aws-secret production/core-service node index.js

1Password Teams — Communicates with the local IPC desktop socket via biometric unlock (TouchID / Windows Hello) to access scoped vault references seamlessly.

env-pull run --op-secret "op://Staging/CoreAPI/api-keys" node index.js

Bitwarden — Translates complex JSON schemas from the Bitwarden CLI token framework directly into the standard memory map required by your local process.

4. Key Takeaways

• Zero Plaintext — Completely eliminates unencrypted local files and hard drive exposure, protecting against screen share leaks and stolen laptops.
• Blazing Fast Architecture — Built in Go to achieve sub-50ms boot times and utilizes Process Tree Inheritance to prevent API rate-limiting during hot-reloads.
• Zero-Config Integrations — Natively bridges AWS, 1Password, and Bitwarden into application memory by passively inheriting your existing local authentication contexts.

Get Involved: As an open-source project, env-pull needs the community to evolve. Star the repository on GitHub, install the CLI via your preferred package manager, and contribute your feedback or pull requests.