Drop-in replacement for python-dotenv that resolves psamvault: placeholders at runtime
Project description
pv-dotenv
Drop-in replacement for python-dotenv that resolves psamvault: placeholders at runtime.
Keep your .env files safe from AI agents. The agent sees only placeholders. Your app gets the real secrets.
Why?
# Before: secrets in plaintext — any agent reading .env can see them
DATABASE_URL=postgresql://user:password@neon.tech/db
JWT_SECRET=your-secret-key
# After: placeholders — agent sees nothing, app resolves at runtime
DATABASE_URL=psamvault:DATABASE_URL
JWT_SECRET=psamvault:JWT_SECRET
Installation
pip install pv-dotenv
Quick Start
Replace your existing dotenv import:
# Before (python-dotenv):
from dotenv import load_dotenv
load_dotenv()
# After (pv-dotenv):
from pv_dotenv import load_dotenv
load_dotenv()
Everything else stays the same. Your code reads from os.environ exactly as before.
With project scoping
If you used scan_and_protect(project_name="my-project"), pass the same name:
load_dotenv(project_name="my-project")
Without modifying os.environ
from pv_dotenv import resolve_dotenv
values = resolve_dotenv()
# → {"DATABASE_URL": "postgresql://...", "JWT_SECRET": "..."}
Override existing env vars
By default, existing environment variables are not overwritten. To force override:
load_dotenv(override=True)
How It Works
- Reads your
.envfile (or custom path) - For each
psamvault:KEYvalue:- Fetches the encrypted blob from the psamvault backend
- Decrypts it locally using your Vault Encryption Key (VEK)
- Sets
os.environ[KEY]to the real value
- Non-
psamvault:values (likeNODE_ENV=production) pass through unchanged
Auth
| Path | Source | Works Where |
|---|---|---|
| A: OS Keychain | psamvault login |
Your dev machine |
| B: Env Vars | PSAMVAULT_VEK + PSAMVAULT_TOKEN |
Docker, CI, servers |
Path A requires no setup beyond psamvault login. Path B is for environments without a keychain (Docker, CI, servers).
Prerequisites
- Python 3.10+
- A psamvault account —
pipx install psamvaultandpsamvault login
Development
# Install dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
Related
| Package | What It Does |
|---|---|
psamvault-cli |
CLI + MCP server — manage your vault |
pv-dotenv |
SDK — resolve placeholders at runtime |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pv_dotenv-0.1.0.tar.gz.
File metadata
- Download URL: pv_dotenv-0.1.0.tar.gz
- Upload date:
- Size: 9.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cd971120a6fdc999d8f2618dc7309c9e26962d588c8ee648db34206460f9e2d6
|
|
| MD5 |
1a8ab356110991f8fe43dda88bda2b82
|
|
| BLAKE2b-256 |
a180deb7b88dd01885d21cce247e8757be28e0fa421458591462fc6397edfabc
|
File details
Details for the file pv_dotenv-0.1.0-py3-none-any.whl.
File metadata
- Download URL: pv_dotenv-0.1.0-py3-none-any.whl
- Upload date:
- Size: 7.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
541c4611df871b8eeb4b1628a2f3de978d78a1d5d8f9736aa05b04541141a37b
|
|
| MD5 |
84af98a8b67240df2da88befb1f09f6b
|
|
| BLAKE2b-256 |
f7a6a86de4f18d540ad24a4308829f8667d15867c6576e77017133af08fb9778
|
