🔐 bwenv

Sync secrets from your password manager into your shell environment — beautifully.

bwenv is a cross-platform CLI tool that bridges your password manager and your shell environment using direnv. It lets you load secrets from Bitwarden or 1Password directly into your project's environment variables — no manual copy-pasting, no secrets in .env files committed to git.

Built with Go, Bubble Tea, and Lipgloss for a fast, beautiful, and truly cross-platform experience.

Managing secrets across projects is painful. .env files get committed by accident, tokens expire and break your workflow, and switching between projects means manual copy-pasting. bwenv solves this by fetching secrets directly from your vault — live, per-directory, automatically.

The original bwenv was built around Makefile, Bash, and PowerShell scripts. That version worked, but keeping the behavior consistent across macOS, Linux, and Windows became harder than it needed to be. The project was rewritten in Go for better cross-platform support, simpler installation, and a single static binary for every platform with zero runtime dependencies beyond your password manager CLI and direnv.

AI coding assistants (Claude Code, Cursor, Copilot, etc.) read your project files and environment to understand context. This creates a unique challenge for secrets:

• Leak prevention — .env files in your project are a risk; AI tools may read or suggest committing them. bwenv keeps secrets in your vault, never on disk.
• AI sees zero secrets — The .envrc file contains only a reference to bwenv export; no keys, no tokens, no passwords.
• Works with AI in the shell — Secrets loaded via direnv are available as environment variables that AI tools inherit from the terminal.
• No more "oops, I committed the .env" — When AI suggests git add ., there's nothing sensitive to accidentally include.
• Share context safely — Share your .envrc in repos, docs, or with AI without exposing any real credentials.

• 🎯 Pinpoint selection — Load only specific items from a folder via TUI multi-select or --items CLI flag
• 🔑 Multi-provider support — Works with Bitwarden (bw CLI) and 1Password (op CLI)
• 🎨 Beautiful TUI — Interactive provider and folder selection with arrow keys, search, and filtering
• 📁 Automatic .envrc generation — Creates direnv-compatible files that auto-load your secrets
• 🖥️ True cross-platform — Single binary for Linux, macOS, and Windows (amd64 + arm64)
• 🔍 Smart diagnostics — bwenv status checks every dependency, session, and config
• ⚙️ Configurable UI — Toggle emoji, direnv output, export summaries via bwenv config
• 🔑 Quick re-auth — Session expired? bwenv login re-authenticates and updates your .envrc in one step
• 🔒 Secure logout — Lock vaults and terminate sessions with bwenv logout
• ⚡ Zero runtime dependencies — Just the Go binary + your password manager CLI + direnv
• 📦 Easy installation — Homebrew, Scoop, APT/DNF, go install, or direct download

You need at least one password manager CLI installed. bwenv will detect what's available and let you choose.

Important: You must be logged into your password manager's CLI before running bwenv. Depending on your provider:

• Bitwarden: Run bw login first (one-time setup), then bwenv init will prompt for your master password to unlock.
• 1Password: Run op signin first, or rely on desktop app biometrics (op v2).

If you haven't logged into the CLI yet, bwenv will fail at the authentication step. See INSTALL.md for detailed setup instructions.

brew tap s1ks1/bwenv
brew install --cask bwenv

scoop bucket add bwenv https://github.com/s1ks1/scoop-bwenv
scoop install bwenv

Download the .deb package from the latest release:

# Download (replace VERSION and ARCH as needed)
curl -LO https://github.com/s1ks1/bwenv/releases/latest/download/bwenv_VERSION_amd64.deb

# Install
sudo dpkg -i bwenv_*_amd64.deb

# Download (replace VERSION and ARCH as needed)
curl -LO https://github.com/s1ks1/bwenv/releases/latest/download/bwenv_VERSION_amd64.rpm

# Install
sudo rpm -i bwenv_*_amd64.rpm

go install github.com/s1ks1/bwenv@latest

macOS / Linux:

curl -fsSL https://raw.githubusercontent.com/s1ks1/bwenv/main/install.sh | sh

Windows (PowerShell):

irm https://raw.githubusercontent.com/s1ks1/bwenv/main/install.ps1 | iex

git clone https://github.com/s1ks1/bwenv.git
cd bwenv
make build
make install

For local development, use make run ARGS="status" to build and run the CLI without installing it globally.

Download the latest binary for your platform from the Releases page, extract it, and place bwenv somewhere in your PATH.

bwenv status

For detailed installation instructions on all platforms, including testing workflows for Bitwarden and 1Password, see INSTALL.md.

bwenv init

This launches a full interactive TUI flow:

1. Select a provider — Choose between Bitwarden, 1Password (or whichever CLIs you have installed)
2. Authenticate — Unlock your vault or sign in (master password, biometrics, etc.)
3. Pick a folder — Browse, search, and select the folder/vault containing your secrets
4. Pick specific items — Choose individual items to load, or load all items in the folder
5. Generate .envrc — A direnv-compatible file is created in the current directory

Then just:

cd .    # Trigger direnv to load secrets

Your secrets are now loaded as environment variables every time you cd into this directory! 🎉

For CI/CD pipelines, scripts, or advanced usage, you can export secrets directly:

# Output "export KEY=VALUE" lines to stdout
bwenv export --provider bitwarden --folder "MySecrets"

# Export only specific items from a folder
bwenv export --provider bitwarden --folder "MySecrets" --items "item-id-1,item-id-2"

# Use with eval to set variables in the current shell
eval "$(bwenv export --provider bitwarden --folder "MySecrets")"

# Works with 1Password too
eval "$(bwenv export --provider 1password --folder "Production")"

bwenv config

Opens an interactive settings editor where you can toggle:

Settings are persisted to ~/.config/bwenv/config.json.

bwenv login

If your vault session has expired, bwenv login will:

• Detect which provider is configured in your .envrc
• Re-authenticate with that provider (unlock/sign in)
• Update the session token in your .envrc
• Auto-approve the updated .envrc via direnv

This is much faster than running bwenv init again — it skips provider and folder selection entirely.

Alias: bwenv auth works too.

bwenv logout

Terminates all active provider sessions for security:

• Bitwarden — runs bw lock to lock the vault
• 1Password — runs op signout to end the session
• Shows any lingering session environment variables and how to clear them

Use this when you're done working with secrets or stepping away from your machine.

bwenv status

Shows a comprehensive overview of your current bwenv state:

• Current directory and .envrc info (provider, folder)
• direnv installation and hook status
• Provider availability and active sessions
• Relevant environment variables (masked for security)
• Current config preferences

bwenv remove

Deletes the .envrc file from the current directory.

bwenv version

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  bwenv init  │────▸│ Provider CLI │────▸│   .envrc     │
│  (TUI flow)  │     │ (bw / op)    │     │  (generated) │
└──────────────┘     └──────────────┘     └──────┬───────┘
                                                  │
                                                  ▼
                                          ┌──────────────┐
                                          │   direnv     │
                                          │  (auto-load) │
                                          └──────┬───────┘
                                                  │
                                                  ▼
                                          ┌──────────────┐
                                          │ Environment  │
                                          │  Variables   │
                                          │  $API_KEY    │
                                          │  $DB_URL     │
                                          │  $SECRET     │
                                          └──────────────┘

1. bwenv init walks you through an interactive setup — pick your provider, folder, and optionally specific items
2. It generates an .envrc file that contains a single eval call to bwenv export
3. When direnv loads the .envrc, it runs bwenv export which fetches fresh secrets from your vault
4. Each secret's custom fields (Bitwarden) or item fields (1Password) are exported as environment variables

No secrets are stored on disk (except session tokens which expire). The .envrc fetches secrets live from your vault each time direnv loads it.

bwenv/
├── main.go                          # Entry point and CLI routing
├── INSTALL.md                       # Detailed install & testing guide
├── install.sh                       # macOS/Linux quick install script
├── install.ps1                      # Windows quick install script
├── internal/
│   ├── provider/
│   │   ├── provider.go              # Provider interface and registry
│   │   ├── bitwarden.go             # Bitwarden (bw CLI) implementation
│   │   └── onepassword.go           # 1Password (op CLI) implementation
│   ├── ui/
│   │   ├── styles.go                # Lipgloss color palette and shared styles
│   │   ├── output.go                # Styled print helpers (success, error, etc.)
│   │   ├── provider_picker.go       # Bubble Tea model for provider selection
│   │   ├── folder_picker.go         # Bubble Tea model for folder selection
│   │   ├── init_flow.go             # Orchestrates the full init TUI flow
│   │   ├── login_flow.go            # Re-authentication flow for expired sessions
│   │   ├── config_flow.go           # Interactive config editor TUI
│   │   ├── logout_flow.go           # Vault locking and session termination
│   │   └── status_flow.go           # Status overview & diagnostics
│   ├── envrc/
│   │   └── envrc.go                 # .envrc generation, export, allow/disallow
│   └── config/
│       └── config.go                # Persistent user preferences (~/.config/bwenv/)
├── Makefile                         # Build, install, test, release targets
├── .goreleaser.yml                  # GoReleaser config for cross-platform releases
├── .github/workflows/               # GitHub Actions workflows
├── packaging/
│   ├── homebrew/bwenv.rb            # Homebrew formula template
│   ├── windows/bwenv.cmd            # Windows command shim
│   └── scoop/bwenv.json             # Scoop manifest template
├── LICENSE
└── README.md

make build        # Build for current platform → dist/bwenv
make run          # Build and run
make run ARGS="status"  # Build and run with arguments

make test         # Run all Go tests
make lint         # Run go vet + staticcheck
make fmt          # Format all Go source files
make tidy         # Clean up go.mod/go.sum

main is the stable branch and release source. Work on feature branches, open a pull request, and merge the branch back into main when checks pass. This keeps the history easy to follow and makes a fresh clone straightforward:

git clone https://github.com/s1ks1/bwenv.git
cd bwenv
git switch main
make build

For local pulls, prefer merge-based updates:

git config pull.rebase false
git pull origin main

# Local test build (no publish)
goreleaser release --snapshot --clean

# Full release (requires GITHUB_TOKEN)
goreleaser release --clean

# Or use the Makefile for a simple cross-compile
make release

1. Create a new file in internal/provider/ (e.g. doppler.go)
2. Implement the Provider interface (including the Lock() method)
3. Call Register(&YourProvider{}) in an init() function
4. That's it — the provider will automatically appear in the TUI picker and CLI flags

Want another provider? Open an issue or submit a PR! The provider interface is designed to be easy to extend.

If you're upgrading from the original Bash-based bwenv:

1. Uninstall the old version:

   # If installed via the old install.sh or make:
   rm -f ~/.local/bin/bwenv
   rm -f ~/.config/direnv/lib/bitwarden_folders.sh
   
   # If installed via Homebrew:
   brew uninstall --cask bwenv

2. Install the new version:

   brew tap s1ks1/bwenv
   brew install --cask bwenv

3. Re-initialize your projects:

   cd your-project
   bwenv init    # New interactive TUI flow
   direnv allow

4. Configure preferences (optional):

   bwenv config  # Toggle emoji, direnv output, etc.

MIT License. See LICENSE for details.

Pull requests are welcome! For major changes, please open an issue first to discuss what you'd like to change.

The codebase is intentionally well-commented to make it easy for contributors who may not be deeply familiar with Go, Bubble Tea, or Lipgloss.