envault 1.0.0
envault: ^1.0.0 copied to clipboard
Fintech-grade secret management for Flutter/Dart. AES-256-GCM encryption in generated code, SecureString type, build-time validation, and runtime derived keys.
1.0.0 — First Stable Release (Breaking Security Fix) #
⚠️ BREAKING: All existing
vault.g.dartfiles must be regenerated after upgrading. Runenvault generatewith your newVAULT_MASTER_PASSWORD.
- CRITICAL SECURITY FIX: Removed
fallback_zero_config_keyfrom generated code. The master key is now a per-project, CI-injected secret — never a known string. - Master password is sourced from (priority order):
VAULT_MASTER_PASSWORDenvironment variable (CI/CD).vault_keylocal file (gitignore-enforced, local dev only)- Hard failure with a clear error — no silent fallback, ever
- Added
assertVaultPassword()function to generatedvault.g.dart. Call it inmain()beforerunApp()to detect password mismatches at startup, before any decryption is attempted. - Password fingerprint (HMAC-SHA256, 8 bytes) embedded in generated code.
Mismatch between
envault generateandflutter buildis caught instantly. - Added
VaultConfigurationExceptionfor misconfiguration errors. - Generated code now reads password via
String.fromEnvironment('VAULT_MASTER_PASSWORD'). - Added
.vault_keygitignore enforcement — blocks generation if file is not ignored. - Added CI/CD templates in
docs/ci_cd/for GitHub Actions and Codemagic.
0.1.2 #
- Updated documentation links (Compliance, Threat Model, Security, Migration Guide) in README.
0.1.1 #
- Added link to the official architectural whitepaper.
0.1.0 #
- Initial release of envault.
- Introduced AES-256-GCM encryption for secrets.
- Added
SecureStringwith.use()scope to prevent log leakage. - Implemented PBKDF2 derived keys at runtime (master key not stored in binary).
- Integrated hardware acceleration via
cryptography_flutter.