This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
- Format code:
make fmtorgo fmt ./... - Vet code:
make vetorgo vet ./... - Run unit tests:
make testorgo test ./... - Run all tests (including e2e):
make test-e2eorgo test -tags=e2e ./... - Build binary:
make build(outputs tobin/murmur)
- Run specific test:
go test ./path/to/package -run TestName - Run e2e tests for specific provider:
go test -tags=e2e ./pkg/murmur/providers/awssm
Murmur is a secrets injection tool that fetches secrets from various cloud providers and injects them as environment variables for subprocesses.
Command Structure:
main.go→pkg/cmd/→pkg/murmur/- Primary commands:
run(preferred) andexec(deprecated)
Provider System (pkg/murmur/providers/):
- Each provider implements the
Providerinterface withResolve()andClose()methods - Supported providers:
awssm(AWS Secrets Manager),azkv(Azure Key Vault),gcpsm(GCP Secret Manager),scwsm(Scaleway Secret Manager),passthrough(testing) - Provider registration in
provider.goviaProviderFactoriesmap
Query Processing Pipeline (resolve.go):
- Parse: Environment variables → query objects (
provider_id:secret_ref|filter_id:filter_rule) - Resolve: Fetch secrets from providers (concurrent by provider, cached for duplicates)
- Filter: Apply transformations like JSONPath parsing
- Output: Final environment variables for subprocess
Filter System (filter.go, filters/):
- Currently supports
jsonpathfilter using Kubernetes JSONPath syntax - Filters transform raw secret values (e.g., extract fields from JSON secrets)
- Concurrent processing: Secrets are fetched concurrently per provider to minimize latency
- Caching: Duplicate secret references are cached to avoid redundant API calls
- Pipeline architecture: Variable processing flows through parse → resolve → filter stages
- Provider isolation: Each cloud provider is completely isolated in its own package
- Unit tests alongside source files (
*_test.go) - E2E tests require
-tags=e2eflag and real cloud credentials - Mock providers available for testing (
providers/mock/,providers/jsonmock/) - Test data in
pkg/murmur/testdata/
Murmur uses a structured release process with organized release notes and automated tooling.
- Release Dry Run:
make release-dry-run- Test the complete release process without publishing - Release:
make release- Create and publish a new release (requiresghCLI authentication)
- Prepare Release Notes: Create
docs/release-notes/vX.Y.Z.mdwith comprehensive release notes - Create Release Branch:
git checkout -b release/vX.Y.Z - Update VERSION: Change
VERSIONfile to target version (e.g.,v0.7.0) - Commit and PR:
git commit -m "release vX.Y.Z"and open PR - Merge and Release: After PR merge, checkout main, pull, and run
make release
Release notes in docs/release-notes/ follow this structure:
- Emoji-prefixed sections (🔥, 📋, 📚, 🔧)
- Brief descriptions with code examples
- Links to documentation for detailed information
- User-focused language highlighting benefits
- Multi-platform binaries: Linux, macOS, Windows (amd64, arm64, 386)
- Container images: Automatic Docker image publishing to GitHub Container Registry
- GitHub integration: Automated release creation with binaries and checksums
- Release notes: Automatically included from
docs/release-notes/$(VERSION).md - Backward compatibility: Continues publishing both
murmurandwhisperbinaries
- GoReleaser v2: Handles cross-compilation and publishing
- GitHub CLI (
gh): Provides authentication token for releases - Git tags: Version tags trigger GoReleaser's release process