Problem-first guide
Runtime Secret Injection with dv-env CLI
Keep app secrets out of local files and inject them only when a command starts. `@deadvault/dv-env` bridges encrypted DeadVault data into runtime environment variables for local development, CI pipelines, and autonomous agent workers.
When to use dv-env
- You want to avoid app-level `.env` files in repos.
- You need the same secret source for local dev, CI, and agents.
- You want fail-closed mapping checks before command execution.
- You need short-lived broker tokens for worker isolation.
Basic runtime flow
npm install @deadvault/dv-env echo "$DV_MASTER_PASSWORD" | dv-env run \ --owner 0xYourAddress \ --password-stdin \ --map OPENAI_API_KEY:OpenAI \ -- node app.js
The mapped variable exists only for the spawned child process. This keeps secret exposure tightly scoped.
Agent broker flow (recommended)
# trusted issuer context printf "%s\n%s\n" "$DV_MASTER_PASSWORD" "$DV_BROKER_SECRET" | dv-env issue-token \ --owner 0xYourAddress --password-stdin --broker-secret-stdin \ --ttl-seconds 180 --map OPENAI_API_KEY:OpenAI > token.txt # worker context (no master password) DV_BROKER_TOKEN="$(cat token.txt)" dv-env run \ --broker-token "$DV_BROKER_TOKEN" -- node app.js
Broker mode reduces blast radius by giving workers short-lived scoped tokens instead of long-lived master credentials.
Operational checklist
- Use `--password-stdin` and `--broker-secret-stdin` instead of raw CLI values.
- Rotate broker secrets regularly and keep token TTL short.
- Map only required labels per workload (`principle of least privilege`).
- Run environment validation before execution in CI and agents.