New Tool 'Varlock' Aims to Kill .env Files

Varlock was created by Phil Miller and Theo Ephraim and evolved from their previous tool, DMNO. It introduces a lightweight DSL built on JSDoc-style comments called `@env-spec` to add a schema and other functionalities to `.env` files. This approach is designed for easier onboarding and compatibility with existing tools. The core of Varlock is the `.env.schema` file, which acts as a single source of truth that, unlike `.env.example` files, doesn't go out of sync. This schema enforces validation, coercion, and type-safety with IntelliSense to catch errors during development rather than in production. A key security feature is the automatic redaction and masking of sensitive values. By marking variables with a `@sensitive` decorator in the schema, Varlock prevents secrets from appearing in terminal output, logs, AI contexts, or error messages. Varlock's flexible plugin system allows it to securely and declaratively load secrets from third-party providers. This enables fetching secrets from services like 1Password or AWS Secrets Manager, reducing the problem of "secret sprawl" where sensitive information is scattered across many different systems. The command-line interface includes commands like `varlock init` to bootstrap a project, `varlock load` to validate and display masked values, and `varlock run` to execute commands with injected secrets without exposing them. This provides a secure workflow for local development and CI/CD pipelines. Future plans for Varlock include a desktop application for local override encryption using biometrics, shared team vaults with trustless cloud storage, and a GitHub App for tracking configuration changes with audit trails.