00:00:00This is Valor, an open source tool for managing environment variables that makes it so that you
00:00:04never have to store plain text secrets on disk again and works by resolving environment variables
00:00:10locally or through a password manager like 1Password, Bitwarden, AWS and many more by using
00:00:16a type safe schema and then injects your secrets into your application at runtime making your .m
00:00:21file safe for AI and even to commit publicly to GitHub. But how does this actually work
00:00:27and what's the deal with this weird syntax? Hit subscribe and let's get into it.
00:00:31How many times have you started a new dev role, get access to the code, get it running locally
00:00:39and it doesn't work only to find out you're missing a .m file you need to get from another developer
00:00:45or some kind of encrypted storage and you have to go through this process over and over again
00:00:50each time that .m file updates. This is the problem Valor exists to solve and also to fix
00:00:56the problem of prompt injected AI agents fetching secrets they shouldn't have access to. Let's go
00:01:02through how it works. So here is a small project I've been working on that generates articles from
00:01:06Twitter videos using OpenAI's whisper to transcribe the video and using Claude to write the article.
00:01:12But we're going to start with something simple and use Valor to change the port number. So with Valor
00:01:17already installed we should have a .m schema file which is currently empty. This will be the source
00:01:23of truth for all of our environment variables and should be able to be committed to GitHub in a
00:01:28public repo. We'll start by adding a simple appenv environment variable and we'll set it to the value
00:01:33of testing and now I can create a new tab to run varlock load which will validate our schema. Now
00:01:39we can see over here it's read our environment variable and has set it to sensitive. This is
00:01:43because all environment variables in varlock are set to sensitive by default but we can change that.
00:01:48In this file I'm going to add our first decorator which will be a root decorator
00:01:52because it will affect all the environment variables in the file and we'll set default
00:01:56sensitive to false. Notice the syntax here has a hashtag in front of it and usually root variables
00:02:02are separated with a divider. Now this whole file uses a domain specific language called mspec which
00:02:08is an open spec written by the varlock team. So now if I validate my schema again we can actually see
00:02:14the value of the environment variable because it's no longer set to sensitive. But we can do some
00:02:19other cool things inside our schema file like giving our environment variable a type. So I'll
00:02:24give it a type of string which means everything should still work but if I were to change it to
00:02:29number then we can see we get an error because it's expecting a string. I can also give it the
00:02:33required decorator and then remove this text meaning if we check our file we get an error
00:02:39because it's expecting a value. These are called item decorators and you can find a full list of
00:02:44them in the varlock documentation as well as a full list of the available types. Let's now add another
00:02:50environment variable and this time we're going to call it port with a value of 3002. I can give it a
00:02:55type of port and what I'm also going to do up here is set this to sensitive and change this back to a
00:03:01string. Now it's picked up both of our environment variables and hidden this because it's sensitive.
00:03:05But now how do we get these values into our application? Well all we have to do is run
00:03:10varlock run followed by the scripts we need to run our application. So if I cap the package JSON file
00:03:15we can see we need to run the vite command to run the frontend. So now if I run varlock run followed
00:03:21by the vite command it should load the config resolve it and then inject it into our environment
00:03:27variables which is exactly what it's done because now the port is 3002 which works in our code
00:03:33because it first checks for the port environment variable currently being injected by varlock.
00:03:38This script doesn't just have to be a javascript file because varlock works for any project so
00:03:43python go rust you name it everything should still work as expected and if you don't want to install
00:03:48it with npm then there's also a varlock cli which works just the same. This is all well and good for
00:03:54local environment variables but now let's go through the process of fetching them from one password
00:03:59instead of using my shell local variables for things like this open ai and anthropic api key.
00:04:05Now I don't use one password personally I've signed up for a trial just to make this video but as you
00:04:11can see I've created a new vault which is very important I'll explain why later and inside this
00:04:16vault we have two items one is the openai api key and one is an anthropic api key which I don't mind
00:04:24showing because they're completely made up so if I reveal this this is not a real api key. Now in order
00:04:30to get those values inside our varlock schema we first need to install the one password plugin
00:04:36and note plugins in varlock can add their own root and item decorators so you may see some new ones
00:04:42here that don't exist inside the documentation for example this init one password decorator so after
00:04:49installing varlock one password we can load the plugin root decorator containing the plugin we just
00:04:55installed and we can run the init one password decorator so all I need right now is the token
00:05:01which I can load from here. Now in order to get this token you do have to connect it to a new vault
00:05:06not your personal one and you can find it in developer service account then follow the steps
00:05:11to create a token. Now since I'm going to delete my token and one password account after this video
00:05:15I don't mind showing it and I'm going to give this a type of one password service token which is set
00:05:21to sensitive and is a type that comes from this plugin. You may also notice that this file doesn't
00:05:26have any syntax highlighting and that's because the varlock team have created a vs code plugin
00:05:32that does support it but right now there isn't one for near vim which means I might create one in the
00:05:37future or just get clawed to do it. Now I'm going to create a new environment variable called openai
00:05:43api key id and then in order to get that from one password I have to run the one password function
00:05:49followed by this protocol and then I need to add the name of my vault which is test the name of the
00:05:55item which is openai and then the field name which if we double check we can see over here that it is
00:06:02credential. I can also set that to sensitive and now if we run varlock load it takes a few seconds
00:06:08before getting my openai api key from one password and we can check it's working by even changing the
00:06:14value here so something like one two three four and if we run varlock load again it gets the correct
00:06:20values and there we have it our env schema file should be good to commit but I know what you're
00:06:25thinking what about this one password token is that safe well to be honest if you were developing
00:06:31locally and you had one password you may have the desktop app installed or you're using the cli in
00:06:38that case you can use this configuration to unlock one password with your fingerprint instead of using
00:06:43a one password token but varlock also supports other plugins like one for aws gcp and even bitwarden
00:06:52as well as many other integrations including those for veet next.js and cloud flare workers there are
00:06:57also so many other features I didn't get rounds to going through like generating typescript types from
00:07:03your schema importing environment variables from other files and even redacting sensitive outputs
00:07:08from logs and outgoing http responses which is a very nice touch there's even an mcp server to
00:07:15help your coding agent set up an env schema for you automatically and there's also a github action
00:07:21to load and validate your environment variables in your cict process but as cool as varlock is there
00:07:27are a few issues with it for example you can't use it offline so if you're coding at an airport you'll
00:07:32have to use your hard-coded environment variables but honestly who's really coding without the
00:07:37internet also speaking of internet there is a bit of delay when it's fetching passwords from a
00:07:41different provider so it will take a tiny bit longer to start up your scripts there's also a
00:07:46lack of providers such as dashlane and others and i did experience a weird bug where if i use the same
00:07:53name in my schema file as the name of an environment variable for my local shell it used that environment
00:07:59variable locally instead of the one from one password but varlock is actively being developed
00:08:05and i'm sure a lot of these things will be addressed in the future nevertheless the product
00:08:10as is right now is still incredibly useful to me and i think i'm going to be using it for all
00:08:16my side projects going forward and maybe even replace my local shell files with varlock schema
00:08:21files if there's a way to do that i really hope there is because i don't want any agents to scrape
00:08:26by information.