Shelve

At a Glance:

Shelve is an open-source secrets management platform that centralizes environment variables and API keys in an encrypted vault, syncs with GitHub Actions, and provides a CLI for terminal-based push, pull, and injection workflows.

Overview:

Shelve is an open-source secrets management platform designed to centralize and secure application environment variables and API keys. It addresses the friction of scattered .env files by providing an encrypted, centralized vault with per-environment parity. The project targets developers seeking a unified tool for configuration management, offering a command palette, a dedicated CLI for pushing and pulling secrets, and a GitHub App for syncing with repository secrets and Actions. The platform also incorporates role-based workspaces for managing access across members.

Key Decision Points:

• Centralized vault with encryption: Secrets are stored in a single dashboard and protected at rest using SHA-256 hashing and AES-256 encryption, providing a structured alternative to local .env files.

• CLI-first developer workflow: The @shelve/cli tool supports fetching (shelve pull), pushing (shelve push), and directly injecting secrets (shelve run) into processes from the terminal.

• GitHub integration via official app: The platform includes an official GitHub App to automatically sync secrets with GitHub Actions and repository secrets, fitting workflows that rely on CI/CD pipelines.

• Team-level access control: Workspaces support simple role-based permissions with Owner, Admin, and Member roles, enabling collaborative management of project secrets.

• Self-hosting via Vercel: The documentation provides instructions for deploying Shelve on a user's own Vercel account, supporting users who prefer to manage their own infrastructure.

Core Features:

• Encrypted Centralized Vault: Stores API keys, tokens, and variables in a single dashboard with SHA-256 and AES-256 encryption at rest.

• Environment Parity: Manages configurations across separate environments like development, staging, and production, plus custom environments.

• CLI Push, Pull, and Inject: The @shelve/cli enables pulling and pushing secrets, and the shelve run command injects them directly into application processes.

• GitHub Actions & Repository Sync: A GitHub App automatically synchronizes secrets with GitHub Actions and repository-level secrets.

• Role-Based Workspaces: Organizes projects into workspaces with Owner, Admin, and Member permission levels for team access control.

• Secure Secret Sharing: A built-in feature for sharing secrets with a time limit directly through the vault.

Use Cases:

• Developers synchronizing local configurations: A developer can use shelve pull to retrieve the latest environment variables into their local project, replacing manual .env file management.

• Teams securing shared credentials: A team using GitHub can connect the Shelve GitHub App to automatically sync encrypted secrets into their CI/CD pipeline without sharing them in plain text.

• Self-hosting configuration management: Users who want to manage their own instance can deploy Shelve to their Vercel account using the provided self-hosting instructions, retaining control over their data.

Open-Source Alternative Value:

As an open-source project under the Apache-2.0 license, Shelve allows for deployment on a user's own Vercel account, providing a self-managed path for a centrally hosted secrets vault. The platform's value is rooted in its combination of a dedicated CLI, a GitHub-native sync integration, and a structured approach to secret storage, offering an alternative to managing secrets solely through platform-specific CI/CD variables or local files. The role-based workspace model further provides a transparent access control structure for teams.