Dotenv, but evolved. Environment configuration for the modern era.
Phase 1 ships interpolation and layered loading in Rust.
Why? β’ Features β’ Quick Start β’ What's Different β’ Architecture β’ Roadmap β’ Contributing
The .env file format was created in 2012. Since then:
- Cloud-native computing was born
- Supply chain attacks became the #1 threat vector
- Microservices replaced monoliths
- Edge computing and WASM emerged
- AI-assisted development changed how we write code
Yet .env files haven't changed at all. They're still plaintext, untyped, unvalidated, and insecure.
DotenvPP reimagines environment configuration from first principles β taking everything we've learned in 14 years and building something that actually helps instead of being a silent source of bugs and security vulnerabilities.
π‘ A million secrets have been leaked from exposed
.envfiles (Trend Micro, 2022). It's time for something better.
DotenvPP 0.0.3 ships the parser foundation plus Phase 1 interpolation and layered loading.
| Capability | Status | Notes |
|---|---|---|
Basic KEY=VALUE parsing |
β Shipped | Core parser behavior |
Comments, blank lines, export |
β Shipped | Common dotenv syntax |
| Single-quoted, double-quoted, and unquoted values | β Shipped | Includes multiline quoted values |
| BOM handling and common escape decoding | β Shipped | Phase 0 parser behavior |
Load parsed values into std::env |
β Shipped | Includes layered loading and override variants |
CLI check and run commands |
β Shipped | Supports --file and --env |
Variable interpolation (${VAR}) |
β Shipped | Includes default, required, alternative, and $$ escaping |
| Environment layering | β Shipped | .env < .env.{ENV} < .env.local < .env.{ENV}.local |
| Schema and type system | β³ Phase 2 | Roadmap |
| Encryption | β³ Phase 3 | Roadmap |
| Expression language | β³ Phase 4 | Roadmap |
| Policy engine | β³ Phase 5 | Roadmap |
| WASM target | β³ Phase 6 | Roadmap |
The commands and APIs below reflect the current shipped surface. Higher-level APIs for schemas, encryption, expressions, policies, and WASM remain roadmap items in docs/TODO.md and docs/ARCHITECTURE.md.
# Install
cargo install dotenvpp-cli
# Check the layered config for a selected environment
dotenvpp check --env production
# Load the layered production stack and run a command with those variables
dotenvpp run --env production -- cargo test
# Or target one explicit file
dotenvpp check --file .envfn main() -> Result<(), dotenvpp::Error> {
dotenvpp::load_with_env("production")?;
let app_name = dotenvpp::var("APP_NAME")?;
println!("APP_NAME={app_name}");
let preview = dotenvpp::from_read(&b"HOST=localhost\nURL=http://${HOST}"[..])?;
assert_eq!(preview.len(), 2);
assert_eq!(preview[1].value, "http://localhost");
Ok(())
}DotenvPP starts with a from-scratch parser instead of wrapping an existing dotenv crate. That leaves interpolation, layering, schemas, and later roadmap features on top of parser behavior the project owns.
dotenvx is already further ahead on encrypted workflows. DotenvPP is taking a different path: ship a solid Rust parser, interpolation, and layering surface first, then build later phases on that foundation.
Those are infrastructure products. DotenvPP is a developer-facing library and CLI. Even in Phase 0, the goal is local parsing/loading ergonomics rather than replacing secret-management platforms.
SOPS is focused on encryption. DotenvPP is broader in roadmap scope, but those later capabilities are still planned work rather than current release features.
Current workspace layout:
dotenvpp/
βββ crates/
β βββ dotenvpp-parser/ # Phase 0 parser engine
β βββ dotenvpp-cli/ # CLI binary with layered loading support
βββ src/lib.rs # Facade crate API
βββ tests/ # Facade integration tests
βββ examples/ # In-crate examples
βββ usage-examples/ # Separate demo crate (`publish = false`)
Planned crates such as dotenvpp-schema, dotenvpp-expr, dotenvpp-policy, dotenvpp-crypto, dotenvpp-layers, and dotenvpp-wasm are part of the design vision, not current workspace members. See docs/ARCHITECTURE.md for that longer-term target.
| Phase | Description | Status |
|---|---|---|
| 0 | Foundation β Standard .env parsing |
β Complete |
| 1 | Interpolation & environment layering | β Implemented |
| 2 | Schema & type system | π Planned |
| 3 | Encryption | π Planned |
| 4 | Expression language | π Planned |
| 5 | Policy engine | π Planned |
| 6 | WASM target | π Planned |
| 7 | DX & ecosystem (VS Code, bindings) | π Planned |
| 8 | Advanced (remote config, rotation, audit) | π Planned |
See docs/TODO.md for the detailed roadmap.
This project is informed by extensive research into:
- Academic papers: Trend Micro (2022), Basak et al. (2022), OWASP guidelines
- Competitor analysis: dotenvx, SOPS, Infisical, Doppler, Configu, HashiCorp Vault
- Industry standards: 12-Factor App, Policy-as-Code (OPA), Zero Trust Architecture
See docs/RESEARCH.md for the full research synthesis.
- Language: Rust (2021 edition)
- CLI:
clapv4 - Parser: custom parser in
dotenvpp-parser - Benchmarking:
criterion - Quality:
cargo fmt,clippy, tests, GitHub Actions
Planned later phases introduce additional dependencies such as miette, serde, toml, crabgraph, and wasm-bindgen as those capabilities land.
DotenvPP has shipped Phase 1 and is moving toward Phase 2. Contributions welcome.
- Read docs/RESEARCH.md for context
- Read docs/ARCHITECTURE.md for the technical vision
- Check docs/TODO.md for the active roadmap, especially interpolation and layering
- Open an issue or PR
The `.env` file hasn't evolved since 2012. It's time.