secure_env 1.0.0

Encrypt values from `.secure_env` into Rust ciphertext at build time and read them at runtime via `dart:ffi` (AES-256-GCM). Keeps plaintext secrets out of Dart sources and JNI / Apple native binaries [...]

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

1.0.0 — 2026-05-19

Added

• Runtime API SecureEnv: availableKeys(), get, require, isAvailable, and nativeAbiVersion backed by Rust secure_env_* FFI.
• Code generator CLI dart run secure_env:generate: reads .secure_env, emits rust/src/generated/keys.rs and lib/src/generated/secure_env_data.g.dart (AES-256-GCM, split/obfuscated master key material).
• Platforms: Android JNI (four ABIs), iOS XCFramework (static archives), macOS dylib; build orchestration scripts under tool/.
• Quality: unit / integration scaffolding, FFI test stub helpers (secure_env_testing), APK plaintext strings check script, GitHub Actions CI.

Caveats

• Not unbeatable security — materially raises the bar versus plaintext-in-Dart; determined reverse engineers remain in scope only as elevated cost.
• Flutter Web unsupported (dart:ffi); use server-held secrets on web targets.
• Key names in generated Dart metadata remain visible (values are ciphertext only).