June 1, 2026

May 2026 Recap

Varlock Team

May kept the momentum going: OIDC workload identity federation shipped across secret provider plugins, varlock@1.4.0 added audit tooling and agent-friendly workflows, and we had a great time meeting folks at Web Summit Vancouver and Toronto Tech Week.

🔧 Core Improvements

May included four core releases — varlock@1.1.0 through varlock@1.4.0 — with a strong focus on CI/deploy auth, schema hygiene, and AI/agent ergonomics.

OIDC workload identity

Secret provider plugins now support OIDC workload identity federation: Varlock auto-detects short-lived OIDC tokens from platforms like Vercel, GitHub Actions, GitLab CI, and Fly.io, then exchanges them for temporary credentials with AWS, Azure, Google Secret Manager, HashiCorp Vault, Infisical, and Akeyless. No long-lived “secret zero” needed to fetch the rest of your secrets.

Audit and schema hygiene

varlock audit - New code env scanner and audit command to find schema items missing from application code (and vice versa). See varlock audit, @auditIgnore, and @auditIgnorePaths(). Thanks @danish-fareed.
@deprecated item decorator - Mark variables as deprecated with strikethrough in pretty output and @deprecated JSDoc in generated types. (PR #644)
Load summaries for automation - --summary-stderr / --summary-file on varlock load, plus fullResult on execSyncVarlock for programmatic consumers. (PR #681)

Agent and DX improvements

--agent flag - Non-interactive varlock init and varlock load for AI coding assistants and automation. See the AI tools guide.
Shell tab completion - varlock complete for bash, zsh, and fish. See the shell completion guide.
Varlock agent skill - Installable via npx skills add dmno-dev/varlock for Cursor and other agent harnesses. (PR #719)
Unified error handling - Severity levels across load failures, with plugin loading errors surfaced in DataSource.errors. (PR #708)
Vite dev error UX - Styled HTML error pages when varlock load fails in dev mode, with partial env data available on failure.

Fixes and reliability

Biometric / keychain sessions - Better session scoping for non-TTY agents (Codex and similar) to avoid repeated Touch ID prompts. (PR #675, PR #718)
WSL hardening - Fixed varlock encrypt on WSL and standalone binary edge cases. (PR #679, PR #711)
Decorator parsing - Stray text on decorator lines no longer causes silently ignored decorators. (PR #724)

🔌 Integrations and Plugins

May shipped coordinated 1.1.x releases across the ecosystem, with OIDC support landing in cloud secret manager plugins:

@varlock/aws-secrets-plugin, @varlock/azure-key-vault-plugin, @varlock/google-secret-manager-plugin, @varlock/hashicorp-vault-plugin, @varlock/infisical-plugin, @varlock/akeyless-plugin - OIDC workload identity federation support.
@varlock/1password-plugin - Added useCliWithServiceAccount for memory-constrained headless environments that prefer the op CLI over the WASM SDK. (PR #692)
@varlock/cloudflare-integration - TanStack Start + Vite 6/7/8 compatibility, varlock-wrangler fixes for versions upload, styled dev error pages, and clearer env reload feedback when watched files change but resolved env does not.
@varlock/nextjs-integration and @varlock/vite-integration - Improved env reload feedback and graceful partial-load behavior on validation failures.
env-spec-language and @env-spec/parser - Parser and editor tooling updates alongside core releases.

🌐 Content Highlights

Community energy was strong this month across events, podcasts, and video:

Software Defined Talk Episode 571: The Enterprise Dunbar number - Listener JD gave Varlock a shout-out (~47:00). And then Brandon gives Varlock an official shout-out in episode #573. Thank you JD and Brandon!
I Deployed to Vercel and Only Set One Secret — varlock Did the Rest - Thiago Temple walks through a Vercel deploy using Varlock, SvelteKit, and 1Password
Community-built Zed extension - Peter Cruckshank shared a Zed editor extension for .env.schema highlighting and autocomplete: tweet. Peter said he will open a PR into the main repo so we can make this a first-party extension in the future.

💬 Community

We’re always looking for feedback and ideas. Join our community:

Discord - Chat with us and other users.
GitHub Discussions - Suggestions, questions, and feature ideas.
GitHub - Star the project and follow updates.
X - Follow us on X.
Bluesky - Follow us on Bluesky.