EnvCourier

A self-hostable, open-source secrets manager for developer teams.

---

📖 What is EnvCourier?

EnvCourier replaces the insecure practice of sharing .env files over Slack, email, or Git with a centralized, encrypted dashboard. It lets developer teams store, manage, and inject environment secrets (API keys, database passwords, tokens) per project and per environment — all via a clean UI and a simple REST API.

Think Vault, but simpler, self-hosted, and built on the Laravel ecosystem you already know.

---

✨ Features

Feature	Description
🗂 Projects & Environments	Organize secrets by project (e.g. "Payment Service") and deployment stage (Production, Staging, Local)
🔐 AES-256 Encryption	All secret values are encrypted at rest using Laravel's OpenSSL-backed encryption. Values are only decrypted on demand
📋 Audit Logging	Every secret view, creation, update, and deletion is tracked with a timestamped audit trail
🌐 REST API	Pull secrets directly into your apps or CI/CD pipelines at runtime via Bearer token
👥 Teams & RBAC	Multi-tenant support — each user belongs to a team. Roles (super_admin, user) control access
🛡 Sitemaster Console	A dedicated super-admin panel at /sitemaster to manage users, tenants, and system health
🔁 User Impersonation	Admins can impersonate any user for support and debugging purposes
⚡ Reactive UI	Built with Livewire 3 — real-time search, filters, and updates without full page reloads

---

🚀 Getting Started

Requirements

• PHP 8.2+ with extensions: openssl, pdo, mbstring, tokenizer, xml, ctype, json
• Composer
• Node.js 20+ & npm
• SQLite (default) or MySQL / PostgreSQL

---

Installation

1. Clone the repository

git clone https://github.com/HilalLko/EnvCourier.git
cd EnvCourier

2. Install PHP dependencies

composer install

3. Configure your environment

cp .env.example .env
php artisan key:generate

Open .env and set your database connection. By default it uses SQLite (no config needed):

DB_CONNECTION=sqlite
# DB_CONNECTION=mysql
# DB_HOST=127.0.0.1
# DB_PORT=3306
# DB_DATABASE=envcourier
# DB_USERNAME=root
# DB_PASSWORD=

4. Run migrations & seed

php artisan migrate

# Seed roles + create a default super admin account
php artisan db:seed --class=RoleSeeder
php artisan db:seed --class=AdminUserSeeder

Default super admin credentials:
The seeder outputs the email and password to the console after running.

5. Build frontend assets

npm install && npm run build

6. Start the server

php artisan serve --port=1234

Visit http://localhost:1234 in your browser.

---

One-command setup (via Composer script)

composer setup

This runs composer install, generates the app key, runs migrations, installs npm packages, and builds assets in one shot.

---

Development Mode (with hot reload)

composer dev

This concurrently starts the Laravel server, queue worker, Pail log viewer, and Vite dev server.

---

🛡 Sitemaster Console

Super admins can access the platform management panel at:

/sitemaster

From here you can:

• Browse and search all registered users
• Impersonate any user for debugging
• View all tenant organizations
• Monitor system health and application logs

Regular users attempting to access /sitemaster will receive a 403 Forbidden response.

---

🌐 REST API

Inject secrets into your applications or CI/CD pipelines at runtime:

GET /api/projects/{project_uuid}/environments/{env_slug}/secrets
Authorization: Bearer <your-token>
Accept: application/json

Example — inject into shell environment:

eval $(curl -s \
  -H "Authorization: Bearer $ENVOY_TOKEN" \
  "https://your-envcourier.app/api/projects/$PROJECT_ID/environments/production/secrets" \
  | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""')

API tokens are managed under Profile → API Tokens inside the app (powered by Laravel Sanctum).

---

🧪 Running Tests

# Run the full test suite
composer test

# Or run directly with Pest
php artisan test

# Run a specific test group
php artisan test --filter=AdminTest
php artisan test --filter=ProjectTest

The test suite covers authentication, project management, secrets, RBAC, and admin features.

---

🏗 Tech Stack & Credits

EnvCourier is built on the shoulders of great open-source packages:

Package	Purpose
Laravel 12	Application framework
Laravel Jetstream	Authentication, teams, profile management, and 2FA scaffolding
Laravel Sanctum	API token authentication
Livewire 3	Reactive server-driven UI components
Tailwind CSS	Utility-first CSS styling
PestPHP	Expressive test framework
Laravel Pail	Real-time log tailing in the terminal
Laravel Pint	Opinionated PHP code style fixer

---

🤝 Contributing

Contributions are welcome! Here's how to get started:

1. Fork & clone

git clone https://github.com/HilalLko/EnvCourier.git
cd EnvCourier
composer install && npm install

2. Create a feature branch

git checkout -b feature/your-feature-name

Use descriptive branch names:

• feature/ — new functionality
• fix/ — bug fixes
• docs/ — documentation changes
• refactor/ — code improvements

3. Write code and tests

• Follow PSR-12 coding standards (enforced by Pint)
• Write or update Pest tests for any new functionality
• Keep Livewire components focused (one responsibility per component)

# Check code style
./vendor/bin/pint --test

# Fix code style automatically
./vendor/bin/pint

# Run tests
php artisan test

4. Commit with a clear message

We follow Conventional Commits:

feat: add environment duplication feature
fix: encrypt secrets before storing in DB
docs: update API reference for secrets endpoint

5. Open a Pull Request

• Describe what changed and why
• Reference any related issues with Closes #123
• Ensure all tests pass and no style violations exist

---

🗺 Roadmap

• Webhook notifications on secret access
• Dedicated CLI tool (envoy pull)
• Secret versioning & rollback
• Docker-ready deployment image
• SSO / SAML support

---

📄 License

EnvCourier is open-source software licensed under the MIT License.

MIT License — free to use, modify, and distribute.
Attribution appreciated but not required.

---

Made with ❤️ using Laravel, Livewire, and Tailwind CSS