01 / Enva

Encrypted environment variable workflows without passing `.env` files around.

Enva keeps secrets in a local AES-256-GCM vault, injects only the values an app needs, and exposes the same workflow through a CLI, an embedded web UI, and a GitHub Pages demo.

Open Interactive Demo View Source Browse Releases
Version v1.4.1
Primary surface CLI + Embedded Web UI
Default bind 127.0.0.1:8080 (auto-opens browser)
Release assets linux x86_64 / aarch64 / macOS aarch64
Shared guardrail Embedded UI and Pages demo stay in parity

What Enva closes

One product flow across vault, app launch, web review, and release distribution.

The compatibility baseline for Enva is the current README, docs, CLI behavior, tests, embedded web UI, and `site/demo.html`. The product stays local-first while preserving release/update paths and remote sync flows.

  • Local AES-256-GCM vault with Argon2id and HMAC validation.
  • Per-app injection with dry-run, `--cmd`, and app-path launch flows.
  • Embedded web UI and static demo that keep shared DOM and interaction hooks.
  • Release, install, and self-update contracts that stay aligned by asset naming.

Install and verify

Recommended install script

curl -fsSL https://raw.githubusercontent.com/YoRHa-Agents/EnvA/main/scripts/install.sh | bash

Build from source

cargo build --release cp target/release/enva ~/.local/bin/

Post-install smoke

enva vault self-test enva update --help

Feature contract

  • `enva` starts the embedded web UI with auto-open browser and port persistence; `enva serve` keeps explicit host/port control with `--no-open` option.
  • `enva update` and the web UI Settings panel preserve tag selection, asset matching, verification, and atomic replacement.
  • `build.sh`, `scripts/install.sh`, and release assets stay aligned on naming.
  • `site/demo.html` and the embedded web UI keep shared import/export selection hooks.

Operational guide

Quick start

Create a vault

enva vault init --vault ./my.vault.json

Store a secret

enva vault set db-url -k DATABASE_URL -V "postgres://user:pass@host/db"

Assign it to an app

enva vault assign db-url --app backend

Run with injected env

enva --cmd "printenv DATABASE_URL" backend

Dry-run app secrets

enva backend

Open the web UI

enva # auto-opens browser enva serve --port 3000 # custom port enva serve --no-open # suppress browser

Surfaces

CLI

vault / serve / update / enva <APP> / --cmd

Embedded web

/api routes + local review on 127.0.0.1

Pages demo

site/demo.html with parity-checked selection hooks

Remote flows

deploy / sync-from / preview / review / merge

Documentation front door

This static landing now follows the same shell language used by `RustWebAppCommon`, while Enva keeps its own product workflows and CLI contract.