GitHub - oneseal-io/oneseal: 🔐 Secrets, configs, and platform outputs as code

Secrets, configs, and platform outputs as code.
Type-safe · Version-controlled · Encrypted.

Stop copy-pasting secrets.
Turn config sprawl into code you can trust.

flowchart TD
    S["📂 Possible Sources<br><br>Terraform state<br>Pulumi state<br>AWS/Azure/Google Vaults<br>.env files<br>Any Vault system<br>Custom YAML/JSON"]

    A["🔍 Sources<br><br>🔐 Secrets · 🌐 URLs<br>🚀 Feature Flags · 📊 IDs<br>🔧 Connection Strings"]

    S --> A
    style S fill:#1a1f2e,stroke:#7c3aed,stroke-width:2px,color:#e9d5ff

    B["⚙️ OneSeal Engine<br><br>🔒 Encrypt · 🏗️ Generate<br>🔑 Multi-key · 📝 Type-safe"]

    C["📦 Generated Artifacts<br><br>Language SDKs<br>Infrastructure Modules<br>CI/CD Templates"]

    E["🏗️ Infrastructure Modules<br><br>Terraform · Pulumi<br>Ready-to-use"]
    D["💻 Application SDKs<br><br>TypeScript · Python · Go<br>Type-safe interfaces"]
    F["🚀 Pipeline Templates<br><br>GitHub Actions<br>Azure DevOps"]

    A --> B
    B --> C
    C --> D
    C --> E
    C --> F

    style A fill:#1e293b,stroke:#38bdf8,stroke-width:2px,color:#e0f2fe
    style B fill:#0f172a,stroke:#22d3ee,stroke-width:3px,color:#cffafe
    style C fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#d1fae5
    style D fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff
    style E fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff
    style F fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff

    %% Invisible spacer for bottom padding
    F ~~~ Z[" "]
    style Z fill:none,stroke:none

OneSeal turns platform outputs into versioned, type-safe SDKs. Eliminate runtime errors and connect services with confidence.

What OneSeal Delivers — overview of artifacts (secrets, URLs, feature flags, etc.)
The Problem — common secret/config pain points
The Solution: Secrets-as-Code — how OneSeal helps
Before vs After — example workflows and code
Installation — macOS / Linux / From source
Quickstart — 30s demo, Terraform example
Using with Docker — Using with Docker
How It Works — pipeline & workflow
Security Architecture — Age keys, encryption model
Key Features — for DevOps, developers, and teams
Integrations — current & upcoming sources / SDKs
Commands — CLI reference (generate, generate-key, ...)
FAQ — common questions
Monitoring & Observability — alerts & metrics
Vote for What Comes Next — SDKs and input sources
Acknowledgments — third-party credits
License & Philosophy — MIT + principles

📦 What OneSeal Delivers

🔐 Secrets — Encrypted by default if marked as sensitive (passwords, API tokens, keys)
🌐 Service URLs — API endpoints, CDN domains, callback URLs
🚀 Feature Flags — Environment-specific configuration values
📊 Resource IDs — ARNs, bucket names, queue identifiers
🔧 Connection Strings — Databases, caches, brokers
📝 Any Platform Output — Developers need to consume safely

😩 The Problem

Every team knows this pain:

"What's the S3 bucket name for uploads?" → Check the wiki...
"What's the database password again?" → Check Slack/Discord/Teams...
"The API key changed!" → App crashes in production at 3 AM
"I renamed that secret..." → 5 services break silently
process.env.DATBASE_URL → Typo goes unnoticed for weeks
"How do we share this with the new dev?" → Another risky copy-paste

Your secrets are scattered across Vault, AWS Secrets Manager, Terraform outputs, and a dozen other places. Your developers access them through error-prone string lookups. There's no type safety, no version control, and no single source of truth.

💡 The Solution: Secrets-as-Code

OneSeal transforms your platform secrets into typed, versioned, encrypted SDKs that live in your git repository. One command turns chaos into code.

🔄 Before vs After

❌ Before OneSeal

// Runtime errors waiting to happen
const dbPass = process.env.POSTGRES_PASSWORD; // undefined?
const apiKey = process.env.STRIPE_KEY; // or was it STRIPE_API_KEY?

// Hardcoded secrets everywhere (we've all done this)
const config = {
  // Found this in the wiki... is it still valid?
  database: {
    host: "postgres-prod.us-east-1.rds.amazonaws.com",
    password: "P@ssw0rd123!" // TODO: move to env vars (6 months ago)
  },

  // Dave said use this one in the standup
  stripe: {
    key: "sk_live_4eC39HqLyjWDarjtT1zdp7dc" // 🚨 PRODUCTION KEY IN CODE
  },

  // Copy-pasted from onboarding doc (last updated: 2021)
  redis: {
    host: "redis-prod-cluster.cache.amazonaws.com",
    password: "xY3$a9Qm#2kL8nP5" // Hope nobody changed this
  }
};

// No idea what other secrets exist or their structure
// New dev: "Where do I find the OAuth client secret?"
// You: "Uhh... ask Sarah, she set it up"

✅ After OneSeal

// index.ts
import { State } from '@contoso/my-infra';

const state = new State();
const outputs = await state.initialize();

// Full type safety and IntelliSense
const db = outputs.database.postgresql;
//                  ^-- AutoComplete shows: host, port, username, password

const stripe = outputs.payments.stripe.secretKey;
//                       ^-- TypeScript knows the exact structure

// Redis config? Just follow the dots
const redis = outputs.cache.redis;
//                ^-- No more "what was that env var called?"

// New dev onboarding is now:
// 1. npm install @contoso/my-infra
// 2. That's it. Seriously.

// 🎉 Benefits:
// ✅ Compile-time safety - typos are impossible
// ✅ Version controlled - rollback anytime
// ✅ Encrypted - safe to commit to git
// ✅ One dependency - not 50 env vars
// ✅ Self-documenting - the IDE knows everything

🛠 Installation

Download Binary

Download the latest binary for your platform from GitHub Releases:

📋 Prerequisites

Before using OneSeal, ensure you have the following installed on your host:

Required

npm For installing deps of the generated SDK package

# Check if you have Node.js and npm installed
npm --version   # Should show 6.0.0 or later
# Install Node.js if needed:
# macOS: brew install node
# Ubuntu/Debian: sudo apt install nodejs npm

🚀 Quickstart

30 Seconds: Try It Now

# Generate a demo SDK with sample secrets (random Terraform state outputs)
oneseal generate

# Install in your project (replace with the path shown in the output)
npm install ./oneseal-demo-sdk/oneseal-demo-sdk-0.1.0.tgz
# or: yarn add ./oneseal-demo-sdk/oneseal-demo-sdk-0.1.0.tgz
# or: bun add ./oneseal-demo-sdk/oneseal-demo-sdk-0.1.0.tgz

then depending of your TypeScript/JavaScript project

🧩 ESM (TypeScript or JavaScript, recommended)

// index.ts / index.mjs
import { State } from 'oneseal-demo-sdk';
const state = await new State().initialize();
console.log(state.database.connectionString);

Requires: "type": "module" in package.json Run:

npx tsx src/index.ts
# or
node index.mjs
# or
bun index.ts

⚙️ CommonJS (TypeScript or JavaScript)

// index.ts / index.js
const { State } = require('oneseal-demo-sdk');
(async () => {
  const s = new State();
  await s.initialize();
  console.log(s.database.connectionString);
})();

Requires: "type": "commonjs" (or no "type" field) For TypeScript, also add to your tsconfig.json:

{
  "compilerOptions": {
    "types": ["node"],
    "esModuleInterop": true
  }
}

Run:

ts-node src/index.ts
# or
node index.js

💡 Tip: Prefer ESM if possible — it’s modern, supports top-level await, and aligns with most SDKs.

2 Minutes: Real Terraform State

# Generate SDK from your actual Terraform outputs
oneseal generate terraform.tfstate --name @contoso/my-infra

# The CLI will output the path to your new SDK package:
# By default ./oneseal-dist
# > ✅ SDK package created at: ./oneseal-dist/@contoso/my-infra-1.0.0.tgz

# where your TypeScript/Javascript project lives
cd /to-my-project

# Install in your project (replace with the path shown in the output)
npm install /path/to/oneseal-sdk/@contoso/my-infra-1.0.0.tgz
# or: yarn add /path/to/oneseal-sdk/@contoso/my-infra-1.0.0.tgz
# or: bun add /path/to/oneseal-sdk/@contoso/my-infra-1.0.0.tgz

// index.ts
import { State } from '@contoso/my-infra';
const state = await new State().initialize();
console.log(state.database.connectionString); // Fully typed!

5 Minutes: Team Collaboration

This workflow enables a team to securely share secrets, with distinct steps for developers and CI.

1. Developer Setup (for Alice, Bob, etc.)

Each developer generates their personal key once. OneSeal handles the storage automatically.

# Developer runs this on their machine
oneseal generate-key

# ✅ Keypair stored in ~/.oneseal/
# Public key printed to console: age1vwd8j... (Share this with your team lead / private git repo, via teams, etc...)

2. CI/CD Key Setup

Generate a dedicated, non-user key for your automation pipeline. This last will be used to decrypt during runtime all secrets / metadata.

# Use --output to create key files in the current directory for CI
oneseal generate-key --output ./ci

# This creates two files:
# - ci.pub: The public key. Commit this or share it.
# - ci.key: The private key.
# Add this to your;
#   - CI's secret store.
#   - Kubernetes cluster
#   - Cloud provider's secret store (KV, etc..).
#   - etc..

3. Generate the Team SDK

The team lead (or an automated process) collects all public keys and generates the SDK.

💡 Advanced Tip: For streamlined team workflows, store all team public keys in a dedicated Git repository (e.g., company/oneseal-keys). Clone it locally, then point --public-key-path to the directory when generating SDKs. OneSeal will automatically encrypt for all keys found:

# Clone your team's public key repository
git clone [email protected]:company/oneseal-keys.git

# Generate SDK using all public keys in the directory
oneseal generate terraform.tfstate \
  --name @contoso/my-infra \
  --public-key-path ./oneseal-keys/

# OneSeal automatically discovers and uses:
# - oneseal-keys/alice.pub
# - oneseal-keys/bob.pub
# - oneseal-keys/ci.pub
# - oneseal-keys/staging-server.pub

This approach eliminates manual key management—add a new team member's .pub file to the repo, and the next SDK generation includes them automatically.

oneseal generate terraform.tfstate \
  --name @contoso/my-infra \
  --public-key "age1alice..." \
  --public-key "age1bob..." \
  --public-key-path ./ci.pub

4. Commit and Distribute

Commit the generated SDK to a private Git repository.

# The SDK is created in ./oneseal-dist by default
cd ./oneseal-dist
git init && git add . && git commit -m "feat: Initial secrets SDK"
# (Now, push this to a new private repository on GitHub/GitLab)

5. Install and Use

Developers and CI can now install the package. OneSeal automatically finds the correct private key.

# Install from the private Git repo
npm install git+ssh://[email protected]/contoso/my-infra.git

# In CI, expose the private key from your secret store.
# OneSeal will use this if a key isn't found in the default ~/.oneseal/age.key
export ONESEAL_AGE_PRIVATE_KEY="AGE-SECRET-KEY-18AM8..."

ℹ️ Note: You can also push the generated SDK as a tarball to package repositories like npm.js, Verdaccio, or any other compatible registry for easier distribution and version management.

🔥 Living Dangerously: Skip Encryption

Sometimes you just want to move fast. We get it.

# Generate SDK with zero encryption
oneseal generate terraform.tfstate \
  --name @contoso/my-infra \
  --disable-encryption

# 🚨 All secrets in plaintext!

When to go commando:

🏠 Local development with dummy data
🧪 Testing environments with fake credentials
📋 Non-sensitive config (feature flags, URLs, etc.)
🏃‍♂️ Quick prototypes that'll never see prod

When NOT to:

🚫 Production secrets (obviously)
🚫 Real API keys
🚫 Actual passwords

Remember: With great power comes great responsibility. Encrypted by default, plaintext by choice.

🐳 Using with Docker

OneSeal is available as a Docker image, perfect for CI/CD pipelines or containerized workflows.

1. Quick Start with Docker

# Run OneSeal in demo mode (generates example SDK with sample secrets)
docker run -it \
  -v $PWD:/app \
  -v $PWD:/root/.oneseal \
  stanguc/oneseal:latest generate

What this does:

Mounts your current directory as /app (where the SDK will be generated)
Mounts your current directory as /root/.oneseal (where encryption keys are stored)
Runs generate command in demo mode

Generated files:

ls -la
# age.key           # Private encryption key (keep secret!)
# age.pub           # Public encryption key (safe to share)
# oneseal-demo-sdk/ # Generated TypeScript SDK with demo secrets

After generation, the encryption key is needed to decrypt secrets at runtime:

npm install my-sdk/oneseal-demo-sdk

# Via environment variable
export ONESEAL_AGE_PRIVATE_KEY_PATH="$PWD/age.key"

// index.ts
import { State } from 'oneseal-demo-sdk';

const state = await new State().initialize();
console.log(state.database.connectionString); // Fully typed! Enjoy !

2. Using Your Own Terraform State

# Generate SDK from your Terraform state
docker run -it \
  -v $PWD:/app \
  -v $PWD:/root/.oneseal \
  -v $PWD/contoso-infra-dev.state:/tmp/contoso-infra-dev.state:ro \
  stanguc/oneseal:latest generate \
    --state-path /tmp/contoso-infra-dev.state \
    --output-directory /app/contoso-infra-sdk \
    --name @contoso/my-infra

Use the generated SDK

After generation, the encryption key is needed to decrypt secrets at runtime:

npm install contoso-infra-sdk/@contoso/my-infra-1.0.0.tgz

# Via environment variable
export ONESEAL_AGE_PRIVATE_KEY_PATH="$PWD/age.key"

// index.ts
import { State } from '@contoso/my-infra';

const state = await new State().initialize();
console.log(state.database.connectionString); // Fully typed! Enjoy !

Docker in CI/CD

Example GitHub Actions workflow:

- name: Generate OneSeal SDK
  run: | # we suppose /app is a Git folder
    docker run --rm \
      -v ${{ github.workspace }}:/app \
      -v $PWD/contoso-infra-prod.state:/tmp/contoso-infra-prod.state:ro \
      -v $PWD/contoso-infra-staging.state:/tmp/contoso-infra-staging.state:ro \
      stanguc/oneseal:latest generate \
        --public-key "${{ secrets.ONESEAL_AGE_PRIVATE_KEY_PATH }}" \

        --env prod \
        --state-path /tmp/contoso-infra-prod.state \

        --env staging \
        --state-path /tmp/contoso-infra-staging.state \

        --output-directory /app/@contoso/my-infra \
        --name @contoso/my-infra

- name: Build SDK and push to Git
  working-directory: '@contoso/my-infra'
  run: |
    git add .
    git commit -m "feat: update infrastructure outputs SDK"
    git push origin main

Volume Mounts Explained

Mount	Purpose	Required
`-v $PWD:/app`	Output directory for generated SDK	✅ Always
`-v $PWD:/root/.oneseal`	Encryption keys storage	Only for local dev
`-v /path/to/state:/state:ro`	Input Terraform state (read-only)	✅ Always

🎯 How It Works

flowchart TD
    A["📄 Terraform State<br><br>terraform.tfstate<br>Contains secrets & config"]

    B["🔑 Public Keys<br><br>Environment-specific<br>Multi-recipient encryption"]

    C["⚙️ OneSeal Generate<br><br>Extract · Encrypt · Build<br>Type-safe SDK creation"]

    D["📦 Typed SDK<br><br>Encrypted secrets<br>Ready for distribution"]

    E["🔒 Private Git Repo<br><br>Encrypted artifacts<br>Version controlled"]

    F["💻 Application Code<br><br>Import SDK<br>Use typed secrets"]

    G["🔑 Private Key<br><br>Runtime decryption<br>Environment-specific"]

    H["✅ Decrypted Secrets<br><br>Type-safe access<br>Zero plaintext"]

    A --> C
    B --> C
    C --> D
    D --> E
    E --> F
    G --> F
    F --> H

    style A fill:#1f2937,stroke:#7c3aed,stroke-width:2px,color:#e9d5ff
    style B fill:#1f2937,stroke:#7c3aed,stroke-width:2px,color:#e9d5ff
    style C fill:#0f172a,stroke:#22d3ee,stroke-width:3px,color:#cffafe
    style D fill:#1e293b,stroke:#10b981,stroke-width:2px,color:#d1fae5
    style E fill:#1e293b,stroke:#3b82f6,stroke-width:2px,color:#dbeafe
    style F fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff
    style G fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fecaca
    style H fill:#0a3622,stroke:#84cc16,stroke-width:2px,color:#d9f99d

OneSeal Workflow:

Extract & Encrypt - Platform teams run oneseal generate on Terraform state files using team public keys to create encrypted, type-safe SDKs
Version Control - The generated SDK (containing only encrypted data) gets committed to your private repository like any other code artifact
Standard Installation - Developers install the SDK through normal package management (npm install, pip install) with no special setup required
Runtime Decryption - Applications automatically decrypt secrets in-memory using environment-specific private keys (local development keys or CI environment variables)
Type-Safe Consumption - Code gets full TypeScript/Python type safety with zero plaintext credentials anywhere in the codebase or configuration files

The key insight: secrets become versioned, encrypted code artifacts that follow standard software development practices while maintaining security through asymmetric encryption.

🔐 Security Architecture

One Password to Rule Them All

Development: Developers have their Age private key
CI/CD: Single ONESEAL_AGE_PRIVATE_KEY environment variable
Production: Same key unlocks ALL your secrets

Why This Is Revolutionary

Before: 50 secrets = 50 environment variables to manage
After: 1 private key = access to entire typed secret SDK
Benefit: Rotate one key instead of updating dozens of secrets
Enterprise collaboration: Break silos — dev, ops, and security consume the same trusted outputs.
Cross-team & cross-stack: Securely share secrets and configs across departments, clients, and any tech stack — one source, many consumers.

Encryption Details

Selective Encryption: When using a Terraform state file as a source, OneSeal automatically detects the sensitive = true flag on your outputs. Only these values are encrypted. For other sources, you can specify which values to encrypt.
Algorithm: Age with X25519 (Curve25519) for key exchange + AES/ChaCha20 for data encryption
Multi-recipient: Each team member decrypts with their own private key (just share a public key)
Git-safe: Encrypted files are compact, stable, and diff-friendly in version control
Ephemeral security: Each secret uses a fresh symmetric key, providing forward secrecy

🌟 Key Features

For DevOps Engineers

Unified secret source: Works with Terraform, Vault, AWS SM (more coming)
Version control: Track secret schema changes like code changes
Team management: Add/remove recipients without re-encrypting
Audit trail: Git history shows who changed what

For Developers

Type safety: No more typos or undefined secrets
IDE support: Full IntelliSense and auto-completion
Local development: Same SDK works everywhere
No more copy-paste: Install secrets like any other dependency

For Everyone

Single source of truth: Git becomes your secret repository
Idiomatic workflow: Secrets distributed like npm packages
Safer than Slack: No more credentials in chat history
Compile-time validation: Catch issues before runtime

🔌 Integrations

Current Sources

Source	Status	Import From
Terraform	✅ Ready	State file outputs

Upcoming Sources

Source	Status	Import From
.env	🚧 Soon	.env files
Pulumi	🚧 Soon	Pulumi state outputs
HashiCorp Vault	🚧 Soon	KV v2 secrets
AWS Secrets Manager	🚧 Soon	Secret values
Azure Key Vault	🚧 Soon	Secret values
Google Secret Manager	🚧 Soon	Secret values
Doppler	📋 Planned	Project configs
Infisical	📋 Planned	Environments
1Password	📋 Planned	Vaults
Custom YAML/JSON	📋 Planned

OneSeal complements these tools—they store secrets, we distribute them as code.

SDK Languages

Language	Status	Package Type
TypeScript	✅ Ready	npm package
Python	🚧 Soon	pip package
Go	🚧 Soon	go module
PHP	🚧 Soon	PHP package
Java	🚧 Soon	Artifact/Library
GitHub Actions	🚧 Soon	workflow files
Azure DevOps	🚧 Soon	templates files
Terraform	📋 Planned	encrypted modules

🤷 Why Not Just Use...?

Environment Variables?

❌ No type safety — process.env.DATBASE_URL (typo) fails at runtime, not compile time
❌ No version control — Who changed API_KEY last Tuesday? Good luck finding out.
❌ Hard to share securely — Slack messages? Email? Sticky notes? All terrible.
❌ No structure — Flat namespace of strings. Is it DB_HOST or DATABASE_HOST?
❌ No validation — Undefined values discovered in production at 3 AM
✅ OneSeal: Typed, versioned, encrypted, structured, validated at build time

Secret Managers (Vault/AWS Secrets Manager/Azure Key Vault)?

✅ Great for storage — Keep using them! OneSeal complements them.
❌ Complex runtime dependencies — Network calls, authentication, retry logic, failure handling
❌ No compile-time checks — Typos like getSecret("databse_url") only fail at runtime
❌ String-based access — No IDE autocomplete, no refactoring support
❌ Operational overhead — VPN required? Service mesh? Rate limits? Downtime?
✅ OneSeal: Fetch secrets once → Generate SDK → Zero runtime network calls → Full type safety

OneSeal + Secret Managers = Best of Both Worlds

Secret managers store and rotate secrets
OneSeal distributes them as type-safe, encrypted code
Update the SDK when secrets change (like updating any dependency)

.env Files?

✅ Simple and familiar — Developers know how to use them
❌ Plaintext — Can't safely commit to Git (but everyone does anyway 😬)
❌ No validation until runtime — Missing variables? Wrong format? Find out in prod!
❌ Manual distribution — "Hey can you send me the .env file?" (via Slack, of course)
❌ No history — Who changed what? When? Why?
❌ Merge conflicts — Different values per environment = Git nightmare
✅ OneSeal: Think of it as an encrypted, type-safe, version-controlled .env on steroids

Hardcoded Secrets (Let's Be Honest)?

❌ Security nightmare — API keys in public repos = instant pwned
❌ Rotation hell — Changing a hardcoded secret = code deploy
❌ Audit failure — Compliance teams will have questions
❌ Git history forever — Even after you delete it, it's still there
✅ OneSeal: Encrypted secrets safe to commit, type-safe access, no more hardcoding

Configuration Management (Ansible/Chef/Puppet)?

✅ Great for infrastructure — Keep using them for server config
❌ Not developer-friendly — Ops tools, not dev tools
❌ No type safety — YAML/JSON strings everywhere
❌ Complex workflows — Run playbooks just to get a database password?
✅ OneSeal: Developer-first, type-safe, install like any npm package

Kubernetes Secrets?

✅ Native to K8s — Good for container environments
❌ Base64 encoded — Not encrypted! Just obfuscated.
❌ No version control — Changes to secrets are opaque
❌ K8s-only — What about local dev? Serverless? Edge functions?
❌ Still string-based — No type safety, no IDE support
✅ OneSeal: Works everywhere (local, cloud, edge), encrypted, type-safe

Managed Secret Services (Doppler/Infisical/1Password)?

✅ Great UI and UX — Easy to manage secrets across teams
✅ Real-time updates — Change propagation without redeployment
❌ No type safety — Still string-based access, no IDE autocomplete
❌ Runtime dependency — Network calls required on every app startup
❌ SaaS-only — What about air-gapped environments? Offline dev?
✅ OneSeal: Type-safe, zero runtime calls, works offline, Git-native

Best together: They store and rotate secrets, OneSeal distributes them as type-safe code.

The OneSeal Philosophy:

We're not trying to replace your secret storage. We're making secret consumption better.

Storage → Use Vault, AWS, Azure, whatever you trust

Distribution → Use OneSeal for type-safe, encrypted SDKs

Consumption → Developers get typed, versioned secrets like any npm package

📊 Vote for What Comes Next

OneSeal started with TypeScript/JavaScript SDKs, but we’re just getting started. Which SDK language would make your team’s life easier?

👉 Vote for the next SDK here

OneSeal’s first input source was Terraform state, but we want to support your stack. Which input source should we add next?

👉 Vote for the next input source here

📊 Monitoring & Observability

🔍 Security & Compliance

Audit trail: Complete history of who did what, when
Access patterns: Detect anomalous secret access
Compliance reports: Export for SOC2, HIPAA, PCI audits
Secret lifecycle: Track creation, rotation, deprecation

📈 Operations

Usage analytics: Which secrets are actually used
Performance metrics: Decryption latency, SDK overhead
Dependency mapping: Service → Secret relationships
Health checks: Source integration status

🚨 Alerting

Failed decryptions: Immediate notification
Rotation reminders: Enforce rotation policies
Version drift: Outdated SDKs in production
Value changes: Unexpected secret modifications

*All features coming soon - we're building based on user feedback.

📖 Commands

`oneseal generate`

Transform secrets into SDKs.

# Demo mode
oneseal generate

# From Terraform state  
oneseal generate terraform.tfstate \
  --name @company/secrets \
  --version 1.0.0 \
  --public-key age1xxx...

# Multiple recipients
oneseal generate terraform.tfstate \
  --public-key alice.pub \
  --public-key bob.pub \
  --public-key ci.pub

`oneseal generate-key`

Create Age encryption keys.

oneseal generate-key
# Public: age1xxx... (share freely)
# Private: AGE-SECRET-KEY-1xxx... (keep safe)

🤔 FAQ

Q: Is this secure to commit to git?
A: Yes! Sensitive values are encrypted with Age. Only those with private keys can decrypt.

Q: Why are some of my outputs not encrypted?
A: Only outputs or content explicitly marked as sensitive are encrypted. What is considered sensitive depends on the source type. For example, in Terraform, whether an output is encrypted depends on whether the sensitive flag is set.

Q: What about secret rotation?
A: Change secret → Regenerate SDK → Bump version → Team updates dependency.

Q: Can I use this with my existing secret manager?
A: Yes! OneSeal complements tools like Vault and AWS Secrets Manager. They store, we distribute.

Q: What if a developer leaves?
A: Remove their public key and regenerate. Coming soon: remote secret sources with live private key validation for instant access revocation.

💙 Acknowledgments

Age (cryptography) by Filippo Valsorda

📄 License & Philosophy

The OneSeal CLI is licensed under the AGPLV3 license.

Our Principles

🔒 Your secrets stay yours — no secret values, file paths, or repo names ever leave your machine
🚫 No hidden telemetry — OneSeal never phones home
✅ Git-native, vendor-free — encrypted SDKs are just repos you control
🔑 BYOK (Bring Your Own Keys) — you own the encryption, not us

Our Business Model

We’re building a sustainable business without betraying developer trust:

CLI → AGPLV3 license, free & open-source
Core Runtime → free for most teams, source-available soon
Cloud Features (optional) → team collaboration, audit logs, compliance tooling, automation

Our Commitments

📌 No surprises — license changes apply only to new major versions
🔓 No lock-in — SDKs remain plain Git repos, usable anywhere
🆓 No gatekeeping — core features always include a free tier
🤝 Transparency — revenue comes from features, never your data

OneSeal is our answer to developer tools done right: open, secure, and built to last.

Name		Name	Last commit message	Last commit date
Latest commit History 166 Commits
.github/workflows		.github/workflows
src		src
tests		tests
.gitignore		.gitignore
.release-it.cjs		.release-it.cjs
CHANGELOG.md		CHANGELOG.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
Dockerfile		Dockerfile
LICENSE.md		LICENSE.md
README.md		README.md
oneseal-logo-white.png		oneseal-logo-white.png
oneseal-logo.png		oneseal-logo.png
oneseal-logo.svg		oneseal-logo.svg
setup-dev.sh		setup-dev.sh

License

oneseal-io/oneseal

Folders and files

Latest commit

History

Repository files navigation

Secrets, configs, and platform outputs as code.Type-safe · Version-controlled · Encrypted.

Table of Contents