AI-safe .env files: Schemas for agents, Secrets for humans.
INTEGRATE — Deploy varlock immediately as the secrets safety layer for any PAI project that uses AI coding agents, giving agents schema context without ever exposing secret values.
22/24 — actively-maintained / adequately-documented / high-discipline
Failed: none
Passed: H1: PASS — tagged release @varlock/vite-integration@1.1.2 on 2026-05-25 H2: PASS — release dated 2026-05-25, under 24 hours old relative to today H3: PASS — last commit 2026-05-26T20:11:32Z, same day as appraisal H4: PASS — last commit today (2026-05-26), trivially within 30 days H5: PASS — archived: false H6: PASS — 28 open issues (>0 and <100, indicating active triage) H7: PASS — MIT license present H8: PASS — README contains GitHub Actions CI badge referencing test.yaml workflow
Failed: D5: FAIL — no heading explicitly named "API", "Configuration", "Options", "Reference", "Commands", or "Parameters" in the README excerpt; commands are shown inline under "Workflow" without a dedicated reference heading D8: FAIL — no "Limitations", "Caveats", "Known Issues", "Trade-offs", or "Not supported" section found in README
Passed: D1: PASS — README is present with extensive content across multiple sections D2: PASS — README far exceeds 1000 bytes; includes feature lists, code blocks, plugin tables, integration tables, and workflow examples D3: PASS — dedicated "Installation" section covers npx, brew, curl, and Docker install paths D4: PASS — code blocks under "Workflow" show varlock load, varlock run, and .env.schema usage examples D6: PASS — first content block states "AI-safe .env files: Schemas for agents, Secrets for humans" with a six-bullet feature summary within the first 500 characters D7: PASS — multiple links to varlock.dev docs site including full installation docs, Docker guide, AI-safe config guide, and @env-spec overview
Failed: none
Passed: E1: PASS — TypeScript is the primary language E2: PASS — package.json present at repo root (full dependency manifest provided) E3: PASS — 21 devDependencies in monorepo root package.json, below the 30-dep threshold E4: PASS — package.json defines test:ci, smoke-test, and test:frameworks scripts; CI badge references test.yaml; dependency manifest includes vitest in catalog E5: PASS — 3531 stars far exceeds the 50-star threshold E6: PASS — approximately 261 stars/month (3531 stars over ~13.5 months since 2025-04-11), well above the 2/month floor E7: PASS — 94 forks exceeds the 5-fork threshold E8: PASS — description "AI-safe .env files: Schemas for agents, Secrets for humans." is specific, meaningful, and well over 20 characters
| Dimension | Score | Assessment |
|---|---|---|
| Harvest Value | 2 | The @env-spec DSL — attaching typed schema via JSDoc-style decorators inside .env files — is a genuinely novel pattern; the AI-safety contract (agents receive schema, never secret values) is directly relevant to PAI's multi-agent and coding-agent infrastructure. Runtime log redaction and proactive leak scanning via git hooks are additional harvestable patterns. |
| Integration Readiness | 2 | Drop-in: npx varlock init bootstraps in a JS project; varlock run -- <cmd> wraps any process; framework integrations exist for Vite, Next.js, and Astro; Docker image and MCP docs server are ready-made. No glue code required for standard use. |
| Overlap Risk | 0 | No vault repo touches environment-variable schemas, secrets management, or AI-safe config; this is the first appraisal in this problem space (crowding_index: 0). |
| Gap Fill | 1 | No gap is explicitly declared in the landscape Gaps section for secrets management, but every AI coding workflow in the vault (claude-code, showboat, vellum-assistant, openhuman) creates implicit exposure risk — varlock directly addresses that operational concern. |
Composite: 0.88
Category: AI-Safe Secrets Management Crowding: 0 repos in vault (first-in-category) Alternatives: first in this category vs. top alternative: no prior vault repo covers env-var schema, secrets redaction, or AI-agent safety contracts — varlock is unopposed Landscape impact: filling a gap — the vault has deep AI agent tooling but no secrets protection layer between agents and credentials
Density: 10/10 — all ten evidence inputs available: repository metadata (stars, forks, issues, dates, license, archived status), README content (8KB excerpt), dependency manifest (full root package.json), topics/tags, latest release record, language, description, landscape context, related prior appraisals, and crowding index
The @env-spec RFC (linked from README as discussion #17) signals intent to standardize this annotation format beyond varlock itself — worth tracking as a potential ecosystem standard. The plugin roster (1Password, AWS, Azure, GCP, HashiCorp Vault, Infisical, Bitwarden, KeePass, Passbolt, Proton Pass) is unusually comprehensive for a project only 13 months old, suggesting the dmno-dev team is treating this as a platform play. The MCP docs server means PAI agents can query varlock's documentation natively — a self-referential integration point worth noting at setup time.