<h3>Secrets, configs, and platform outputs as code.<br>Type-safe · Version-controlled · Encrypted.</h3>

Stop copy-pasting secrets.<br>Turn config sprawl into code you can trust.

</div>

flowchart TD
    S["📂 Possible Sources<br><br>Terraform state<br>Pulumi state<br>AWS/Azure/Google Vaults<br>.env files<br>Any Vault system<br>Custom YAML/JSON"]

    A["🔍 Sources<br><br>🔐 Secrets · 🌐 URLs<br>🚀 Feature Flags · 📊 IDs<br>🔧 Connection Strings"]

    S --> A
    style S fill:#1a1f2e,stroke:#7c3aed,stroke-width:2px,color:#e9d5ff

    B["⚙️ OneSeal Engine<br><br>🔒 Encrypt · 🏗️ Generate<br>🔑 Multi-key · 📝 Type-safe"]

    C["📦 Generated Artifacts<br><br>Language SDKs<br>Infrastructure Modules<br>CI/CD Templates"]

    E["🏗️ Infrastructure Modules<br><br>Terraform · Pulumi<br>Ready-to-use"]
    D["💻 Application SDKs<br><br>TypeScript · Python · Go<br>Type-safe interfaces"]
    F["🚀 Pipeline Templates<br><br>GitHub Actions<br>Azure DevOps"]

    A --> B
    B --> C
    C --> D
    C --> E
    C --> F

    style A fill:#1e293b,stroke:#38bdf8,stroke-width:2px,color:#e0f2fe
    style B fill:#0f172a,stroke:#22d3ee,stroke-width:3px,color:#cffafe
    style C fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#d1fae5
    style D fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff
    style E fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff
    style F fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#e0e7ff

    %% Invisible spacer for bottom padding
    F ~~~ Z[" "]
    style Z fill:none,stroke:none

OneSeal turns platform outputs into versioned, type-safe SDKs. Eliminate runtime errors and connect services with confidence.

What OneSeal Delivers — overview of artifacts (secrets, URLs, feature flags, etc.)
The Problem — common secret/config pain points
The Solution: Secrets-as-Code — how OneSeal helps
Before vs After — example workflows and code
Installation — macOS / Linux / From source
Quickstart — 30s demo, Terraform example
Using with Docker — Using with Docker
How It Works — pipeline & workflow
Security Architecture — Age keys, encryption model
Key Features — for DevOps, developers, and teams
Integrations — current & upcoming sources / SDKs
Commands — CLI reference (generate, generate-key, ...)
FAQ — common questions
Monitoring & Observability — alerts & metrics
Vote for What Comes Next — SDKs and input sources
Acknowledgments — third-party credits
License & Philosophy — MIT + principles

📦 What OneSeal Delivers

🔐 Secrets — Encrypted by default if marked as sensitive (passwords, API tokens, keys)
🌐 Service URLs — API endpoints, CDN domains, callback URLs
🚀 Feature Flags — Environment-specific configuration values
📊 Resource IDs — ARNs, bucket names, queue identifiers
🔧 Connection Strings — Databases, caches, brokers
📝 Any Platform Output — Developers need to consume safely

😩 The Problem

Every team knows this pain:

"What's the S3 bucket name for uploads?" → Check the wiki...
"What's the database password again?" → Check Slack/Discord/Teams...
"The API key changed!" → App crashes in production at 3 AM
"I renamed that secret..." → 5 services break silently
process.env.DATBASE_URL → Typo goes unnoticed for weeks
"How do we share this with the new dev?" → Another risky copy-paste

Your secrets are scattered across Vault, AWS Secrets Manager, Terraform outputs, and a dozen other places. Your developers access them through error-prone string lookups. There's no type safety, no version control, and no single source of truth.

💡 The Solution: Secrets-as-Code

OneSeal transforms your platform secrets into typed, versioned, encrypted SDKs that live in your git repository. One command turns chaos into code.

🔄 Before vs After

❌ Before OneSeal

// Runtime errors waiting to happen
const dbPass = process.env.POSTGRES_PASSWORD; // undefined?
const apiKey = process.env.STRIPE_KEY; // or was it STRIPE_API_KEY?

// Hardcoded secrets everywhere (we've all done this)
const config = {
  // Found this in the wiki... is it still valid?
  database: {
    host: "postgres-prod.us-east-1.rds.amazonaws.com",
    password: "P@ssw0rd123!" // TODO: move to env vars (6 months ago)
  },

  // Dave said use this one in the standup
  stripe: {
    key: "sk_live_4eC39HqLyjWDarjtT1zdp7dc" // 🚨 PRODUCTION KEY IN CODE
  },

  // Copy-pasted from onboarding doc (last updated: 2021)
  redis: {
    host: "redis-prod-cluster.cache.amazonaws.com",
    password: "xY3$a9Qm#2kL8nP5" // Hope nobody changed this
  }
};

// No idea what other secrets exist or their structure
// New dev: "Where do I find the OAuth client secret?"
// You: "Uhh... ask Sarah, she set it up"

✅ After OneSeal

// index.ts
import { State } from '@contoso/my-infra';

const state = new State();
const outputs = await state.initialize();

// Full type safety and IntelliSense
const db = outputs.database.postgresql;
//                  ^-- AutoComplete shows: host, port, username, password

const stripe = outputs.payments.stripe.secretKey;
//                       ^-- TypeScript knows the exact structure

// Redis config? Just follow the dots
const redis = outputs.cache.redis;
//                ^-- No more "what was that env var called?"

// New dev onboarding is now:
// 1. npm install @contoso/my-infra
// 2. That's it. Seriously.

// 🎉 Benefits:
// ✅ Compile-time safety - typos are impossible
// ✅ Version controlled - rollback anytime
// ✅ Encrypted - safe to commit to git
// ✅ One dependency - not 50 env vars
// ✅ Self-documenting - the IDE knows everything

🛠 Installation

Download Binary

Download the latest binary for your platform from GitHub Releases:

📋 Prerequisites

Before using OneSeal, ensure you have the following installed on your host:

Required

npm For installing deps of the generated SDK package

# Check if you have Node.js and npm installed
npm --version   # Should show 6.0.0 or later
# Install Node.js if needed:
# macOS: brew install node
# Ubuntu/Debian: sudo apt install nodejs npm

🚀 Quickstart

30 Seconds: Try It Now

# Generate a demo SDK with sample secrets (random Terraform state outputs)
oneseal generate

# Install in your project (replace with the path shown in the output)
npm install ./oneseal-demo-sdk/oneseal-demo-sdk-0.1.0.tgz
# or: yarn add ./oneseal-demo-sdk/oneseal-demo-sdk-0.1.0.tgz
# or: bun add ./oneseal-demo-sdk/oneseal-demo-sdk-0.1.0.tgz

then depending of your TypeScript/JavaScript project

🧩 ESM (TypeScript or JavaScript, recommended)

// index.ts / index.mjs
import { State } from 'oneseal-demo-sdk';
const state = await new State().initialize();
console.log(state.database.connectionString);

Requires: "type": "module" in package.json Run:

npx tsx src/index.ts
# or
node index.mjs
# or
bun index.ts

⚙️ CommonJS (TypeScript or JavaScript)

// index.ts / index.js
const { State } = require('oneseal-demo-sdk');
(async () => {
  const s = new State();
  await s.initialize();
  console.log(s.database.connectionString);
})();

Requires: "type": "commonjs" (or no "type" field) For TypeScript, also add to your tsconfig.json:

{
  "compilerOptions": {
    "types": ["node"],
    "esModuleInterop": true
  }
}

Run:

ts-node src/index.ts
# or
node index.js

💡 Tip: Prefer ESM if possible — it’s modern, supports top-level await, and aligns with most SDKs.

2 Minutes: Real Terraform State

# Generate SDK from your actual Terraform outputs
oneseal generate terraform.tfstate --name @contoso/my-infra

# The CLI will output the path to your new SDK package:
# By default ./oneseal-dist
# > ✅ SDK package created at: ./oneseal-dist/@contoso/my-infra-1.0.0.tgz

# where your TypeScript/Javascript project lives
cd /to-my-project

# Install in your project (replace with the path shown in the output)
npm install /path/to/oneseal-sdk/@contoso/my-infra-1.0.0.tgz
# or: yarn add /path/to/oneseal-sdk/@contoso/my-infra-1.0.0.tgz
# or: bun add /path/to/oneseal-sdk/@contoso/my-infra-1.0.0.tgz

// index.ts
import { State } from '@contoso/my-infra';
const state = await new State().initialize();
console.log(state.database.connectionString); // Fully typed!

5 Minutes: Team Collaboration

This workflow enables a team to securely share secrets, with distinct steps for developers and CI.

1. Developer Setup (for Alice, Bob, etc.)

Each developer generates their personal key once. OneSeal handles the storage automatically.

# Developer runs this on their machine
oneseal generate-key

# ✅ Keypair stored in ~/.oneseal/
# Public key printed to console: age1vwd8j... (Share this with your team lead / private git repo, via teams, etc...)

2. CI/CD Key Setup

Generate a

Oneseal

Install / Use

README

Table of Contents