securestart · prochac · Dec 14, 2025 · prochac · Dec 14, 2025 · dirathea
diff --git a/examples/.env.templates b/examples/.env.templates
@@ -0,0 +1,7 @@
+API_KEY=sk_live_1234567890abcdef
+APP_NAME=MyAwesomeApp
+
+PG_USER=user
+PG_PASS=password
+PG_HOST=localhost
+PG_DATABASE=mydb
diff --git a/examples/.sstart.yml.templates b/examples/.sstart.yml.templates
@@ -0,0 +1,15 @@
+# Templates Usage Example
+# This demonstrates using templates: It allows you to build a secret as a
+# composite of multiple secrets from the source provider
+
+inherit: false
+
+providers:
+  - kind: dotenv
+    path: .env.templates
+    keys:
+      API_KEY: API_SECRET_KEY
+      APP_NAME: ==
+    templates: # Use classic Go text/template syntax
+      PG_DSN: |
+        postgresql://{{ .Env.PG_USER }}:{{ .Env.PG_PASS }}@{{ .Env.PG_HOST }}:5432/{{ .Env.PG_DATABASE }}
diff --git a/internal/app/runner_unix.go b/internal/app/runner_unix.go
@@ -21,4 +21,3 @@ func registerSignals(sigChan chan os.Signal) {
 	// Register for interrupt and terminate signals
 	signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
 }
-
diff --git a/internal/app/runner_windows.go b/internal/app/runner_windows.go
@@ -18,4 +18,3 @@ func registerSignals(sigChan chan os.Signal) {
 	// On Windows, only os.Interrupt (Ctrl+C) is available
 	signal.Notify(sigChan, os.Interrupt)
 }
-
diff --git a/internal/cli/run.go b/internal/cli/run.go
@@ -10,9 +10,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var (
-	runProviders []string
-)
+var runProviders []string
 
 var runCmd = &cobra.Command{
 	Use:   "run [flags] -- <command> [args...]",

diff --git a/internal/cli/sh.go b/internal/cli/sh.go
@@ -26,4 +26,3 @@ Example:
 func init() {
 	rootCmd.AddCommand(shCmd)
 }
-
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -3,25 +3,27 @@ package config
 import (
 	"fmt"
 	"os"
+	"text/template"
 
 	"gopkg.in/yaml.v3"
 )
 
 // Config represents the main configuration structure
 type Config struct {
-	Inherit   bool             `yaml:"inherit"`   // Whether to inherit system environment variables (default: true)
+	Inherit   bool             `yaml:"inherit"` // Whether to inherit system environment variables (default: true)
 	Providers []ProviderConfig `yaml:"providers"`
 }
 
 // ProviderConfig represents a single provider configuration
 // Each provider loads from a single source. To load multiple secrets from the same provider type,
 // configure multiple provider instances with the same 'kind' but different 'id' values.
 type ProviderConfig struct {
-	Kind   string                 `yaml:"kind"`
-	ID     string                 `yaml:"id,omitempty"`   // Optional: defaults to 'kind'. Required if multiple providers share the same kind
-	Config map[string]interface{} `yaml:"-"`              // Provider-specific configuration (e.g., path, region, endpoint, etc.)
-	Keys   map[string]string      `yaml:"keys,omitempty"` // Optional key mappings (source_key: target_key, or "==" to keep same name)
-	Env    EnvVars                `yaml:"env,omitempty"`
+	Kind      string                 `yaml:"kind"`
+	ID        string                 `yaml:"id,omitempty"`        // Optional: defaults to 'kind'. Required if multiple providers share the same kind
+	Config    map[string]interface{} `yaml:"-"`                   // Provider-specific configuration (e.g., path, region, endpoint, etc.)
+	Keys      map[string]string      `yaml:"keys,omitempty"`      // Optional key mappings (source_key: target_key, or "==" to keep same name)
+	Templates []*template.Template   `yaml:"templates,omitempty"` // Optional templates mappings (target_key: str(Go template))
+	Env       EnvVars                `yaml:"env,omitempty"`
 }
 
 // UnmarshalYAML implements custom YAML unmarshaling to capture provider-specific fields
@@ -53,6 +55,21 @@ func (p *ProviderConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
 		delete(raw, "keys")
 	}
 
+	if templates, ok := raw["templates"].(map[string]interface{}); ok {
+		for k, v := range templates {
+			str, ok := v.(string)
+			if !ok {
+				return fmt.Errorf("invalid template format")
+			}
+			tmpl := template.New(k)
+			if _, err := tmpl.Parse(str); err != nil {
+				return err
+			}
+			p.Templates = append(p.Templates, tmpl)
+		}
+		delete(raw, "templates")
+	}
+
 	if env, ok := raw["env"].(map[string]interface{}); ok {
 		p.Env = make(EnvVars)
 		for k, v := range env {

diff --git a/internal/config/config_e2e_test.go b/internal/config/config_e2e_test.go
@@ -154,7 +154,7 @@ providers:
 			// Create temporary YAML file
 			tmpDir := t.TempDir()
 			yamlFile := filepath.Join(tmpDir, "test.yml")
-			if err := os.WriteFile(yamlFile, []byte(tt.yamlContent), 0644); err != nil {
+			if err := os.WriteFile(yamlFile, []byte(tt.yamlContent), 0o644); err != nil {
 				t.Fatalf("Failed to create test YAML file: %v", err)
 			}
 
@@ -286,7 +286,7 @@ providers:
 			// Create temporary YAML file
 			tmpDir := t.TempDir()
 			yamlFile := filepath.Join(tmpDir, "test.yml")
-			if err := os.WriteFile(yamlFile, []byte(tt.yamlContent), 0644); err != nil {
+			if err := os.WriteFile(yamlFile, []byte(tt.yamlContent), 0o644); err != nil {
 				t.Fatalf("Failed to create test YAML file: %v", err)
 			}
 
@@ -336,7 +336,7 @@ providers:
 
 	tmpDir := t.TempDir()
 	yamlFile := filepath.Join(tmpDir, "test.yml")
-	if err := os.WriteFile(yamlFile, []byte(yamlContent), 0644); err != nil {
+	if err := os.WriteFile(yamlFile, []byte(yamlContent), 0o644); err != nil {
 		t.Fatalf("Failed to create test YAML file: %v", err)
 	}
 
@@ -416,7 +416,7 @@ providers:
 
 	tmpDir := t.TempDir()
 	yamlFile := filepath.Join(tmpDir, "test.yml")
-	if err := os.WriteFile(yamlFile, []byte(yamlContent), 0644); err != nil {
+	if err := os.WriteFile(yamlFile, []byte(yamlContent), 0o644); err != nil {
 		t.Fatalf("Failed to create test YAML file: %v", err)
 	}
 
@@ -473,7 +473,7 @@ providers:
 
 	tmpDir := t.TempDir()
 	yamlFile := filepath.Join(tmpDir, "test.yml")
-	if err := os.WriteFile(yamlFile, []byte(yamlContent), 0644); err != nil {
+	if err := os.WriteFile(yamlFile, []byte(yamlContent), 0o644); err != nil {
 		t.Fatalf("Failed to create test YAML file: %v", err)
 	}
 
@@ -614,7 +614,7 @@ providers:
 			// Create temporary YAML file
 			tmpDir := t.TempDir()
 			yamlFile := filepath.Join(tmpDir, "test.yml")
-			if err := os.WriteFile(yamlFile, []byte(tt.yamlContent), 0644); err != nil {
+			if err := os.WriteFile(yamlFile, []byte(tt.yamlContent), 0o644); err != nil {
 				t.Fatalf("Failed to create test YAML file: %v", err)
 			}
 
@@ -643,7 +643,7 @@ providers:
 
 			// Try to Fetch (will fail for missing connections/credentials, but config parsing should work)
 			ctx := context.Background()
-			_, err = prov.Fetch(ctx, providerCfg.ID, providerCfg.Config, providerCfg.Keys)
+			_, err = prov.Fetch(ctx, providerCfg.ID, providerCfg.Config)
 
 			if (err != nil) != tt.expectParseErr {
 				t.Errorf("Expected parse error: %v, got error: %v", tt.expectParseErr, err)

diff --git a/internal/provider/aws/secretsmanager.go b/internal/provider/aws/secretsmanager.go
@@ -42,7 +42,7 @@ func (p *SecretsManagerProvider) Name() string {
 }
 
 // Fetch fetches secrets from AWS Secrets Manager
-func (p *SecretsManagerProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}, keys map[string]string) ([]provider.KeyValue, error) {
+func (p *SecretsManagerProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}) ([]provider.KeyValue, error) {
 	// Convert map to strongly typed config struct
 	cfg, err := parseConfig(config)
 	if err != nil {
@@ -87,26 +87,9 @@ func (p *SecretsManagerProvider) Fetch(ctx context.Context, mapID string, config
 	// Map keys according to configuration
 	kvs := make([]provider.KeyValue, 0)
 	for k, v := range secretData {
-		targetKey := k
-
-		// Check if there's a specific mapping
-		if mappedKey, exists := keys[k]; exists {
-			if mappedKey == "==" {
-				targetKey = k // Keep same name
-			} else {
-				targetKey = mappedKey
-			}
-		} else if len(keys) == 0 {
-			// No keys specified means map everything
-			targetKey = k
-		} else {
-			// Skip keys not in the mapping
-			continue
-		}
-
 		value := fmt.Sprintf("%v", v)
 		kvs = append(kvs, provider.KeyValue{
-			Key:   targetKey,
+			Key:   k,
 			Value: value,
 		})
 	}

diff --git a/internal/provider/aws/secretsmanager_test.go b/internal/provider/aws/secretsmanager_test.go
@@ -7,8 +7,8 @@ import (
 
 func TestParseConfig(t *testing.T) {
 	tests := []struct {
-		name        string
-		config      map[string]interface{}
+		name         string
+		config       map[string]interface{}
 		wantSecretID string
 		wantRegion   string
 		wantEndpoint string
@@ -130,7 +130,7 @@ func TestSecretsManagerProvider_Fetch_ConfigValidation(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := context.Background()
-			_, err := provider.Fetch(ctx, "test-map", tt.config, nil)
+			_, err := provider.Fetch(ctx, "test-map", tt.config)
 
 			if (err != nil) != tt.wantErr {
 				t.Errorf("SecretsManagerProvider.Fetch() error = %v, wantErr %v", err, tt.wantErr)
@@ -261,4 +261,3 @@ func containsSubstring(s, substr string) bool {
 	}
 	return false
 }
-
diff --git a/internal/provider/azurekeyvault/azurekeyvault.go b/internal/provider/azurekeyvault/azurekeyvault.go
@@ -43,7 +43,7 @@ func (p *AzureKeyVaultProvider) Name() string {
 }
 
 // Fetch fetches secrets from Azure Key Vault
-func (p *AzureKeyVaultProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}, keys map[string]string) ([]provider.KeyValue, error) {
+func (p *AzureKeyVaultProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}) ([]provider.KeyValue, error) {
 	// Convert map to strongly typed config struct
 	cfg, err := parseConfig(config)
 	if err != nil {
@@ -100,26 +100,9 @@ func (p *AzureKeyVaultProvider) Fetch(ctx context.Context, mapID string, config
 	// Map keys according to configuration
 	kvs := make([]provider.KeyValue, 0)
 	for k, v := range secretData {
-		targetKey := k
-
-		// Check if there's a specific mapping
-		if mappedKey, exists := keys[k]; exists {
-			if mappedKey == "==" {
-				targetKey = k // Keep same name
-			} else {
-				targetKey = mappedKey
-			}
-		} else if len(keys) == 0 {
-			// No keys specified means map everything
-			targetKey = k
-		} else {
-			// Skip keys not in the mapping
-			continue
-		}
-
 		value := fmt.Sprintf("%v", v)
 		kvs = append(kvs, provider.KeyValue{
-			Key:   targetKey,
+			Key:   k,
 			Value: value,
 		})
 	}

diff --git a/internal/provider/bitwarden/bitwarden.go b/internal/provider/bitwarden/bitwarden.go
@@ -96,7 +96,7 @@ func (p *BitwardenProvider) Name() string {
 }
 
 // Fetch fetches secrets from personal Bitwarden vault using REST API
-func (p *BitwardenProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}, keys map[string]string) ([]provider.KeyValue, error) {
+func (p *BitwardenProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}) ([]provider.KeyValue, error) {
 	// Convert map to strongly typed config struct
 	cfg, err := parseConfig(config)
 	if err != nil {
@@ -218,7 +218,7 @@ func (p *BitwardenProvider) Fetch(ctx context.Context, mapID string, config map[
 	case "both":
 		// Parse both notes and fields, with fields taking precedence
 		secretData = make(map[string]interface{})
-		
+
 		// First, parse notes as JSON (if available)
 		if item.Notes != "" {
 			var noteData map[string]interface{}
@@ -229,14 +229,14 @@ func (p *BitwardenProvider) Fetch(ctx context.Context, mapID string, config map[
 				}
 			}
 		}
-		
+
 		// Then, add fields (which will override any duplicate keys from notes)
 		for _, field := range item.Fields {
 			if field.Type == 0 || field.Type == 1 { // Text or Hidden
 				secretData[field.Name] = field.Value
 			}
 		}
-		
+
 		// Also include login credentials if available
 		if item.Login != nil {
 			if item.Login.Username != "" {
@@ -246,7 +246,7 @@ func (p *BitwardenProvider) Fetch(ctx context.Context, mapID string, config map[
 				secretData["password"] = item.Login.Password
 			}
 		}
-		
+
 		if len(secretData) == 0 {
 			return nil, fmt.Errorf("bitwarden item '%s' has no fields or notes for 'both' format", cfg.ItemID)
 		}
@@ -283,26 +283,9 @@ func (p *BitwardenProvider) Fetch(ctx context.Context, mapID string, config map[
 	// Map keys according to configuration
 	kvs := make([]provider.KeyValue, 0)
 	for k, v := range secretData {
-		targetKey := k
-
-		// Check if there's a specific mapping
-		if mappedKey, exists := keys[k]; exists {
-			if mappedKey == "==" {
-				targetKey = k // Keep same name
-			} else {
-				targetKey = mappedKey
-			}
-		} else if len(keys) == 0 {
-			// No keys specified means map everything
-			targetKey = k
-		} else {
-			// Skip keys not in the mapping
-			continue
-		}
-
 		value := fmt.Sprintf("%v", v)
 		kvs = append(kvs, provider.KeyValue{
-			Key:   targetKey,
+			Key:   k,
 			Value: value,
 		})
 	}

diff --git a/internal/provider/bitwarden/bitwarden_sm.go b/internal/provider/bitwarden/bitwarden_sm.go
@@ -41,7 +41,7 @@ func (p *BitwardenSMProvider) Name() string {
 
 // Fetch fetches all secrets from a Bitwarden Secret Manager project
 // Only Key-Value pairs are extracted from secrets. Note fields are ignored.
-func (p *BitwardenSMProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}, keys map[string]string) ([]provider.KeyValue, error) {
+func (p *BitwardenSMProvider) Fetch(ctx context.Context, mapID string, config map[string]interface{}) ([]provider.KeyValue, error) {
 	// Convert map to strongly typed config struct
 	cfg, err := parseSMConfig(config)
 	if err != nil {
@@ -124,26 +124,9 @@ func (p *BitwardenSMProvider) Fetch(ctx context.Context, mapID string, config ma
 	// Map keys according to configuration
 	kvs := make([]provider.KeyValue, 0)
 	for k, v := range secretData {
-		targetKey := k
-
-		// Check if there's a specific mapping
-		if mappedKey, exists := keys[k]; exists {
-			if mappedKey == "==" {
-				targetKey = k // Keep same name
-			} else {
-				targetKey = mappedKey
-			}
-		} else if len(keys) == 0 {
-			// No keys specified means map everything
-			targetKey = k
-		} else {
-			// Skip keys not in the mapping
-			continue
-		}
-
 		value := fmt.Sprintf("%v", v)
 		kvs = append(kvs, provider.KeyValue{
-			Key:   targetKey,
+			Key:   k,
 			Value: value,
 		})
 	}
@@ -194,7 +177,6 @@ func (p *BitwardenSMProvider) ensureClient(serverURL, accessToken string) error
 	return nil
 }
 
-
 // parseSMConfig converts a map[string]interface{} to BitwardenSMConfig
 func parseSMConfig(config map[string]interface{}) (*BitwardenSMConfig, error) {
 	// Use JSON marshaling/unmarshaling for clean conversion
Original file line number	Diff line number	Diff line change
Expand Up		@@ -21,4 +21,3 @@ func registerSignals(sigChan chan os.Signal) {
		// Register for interrupt and terminate signals
		signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -18,4 +18,3 @@ func registerSignals(sigChan chan os.Signal) {
		// On Windows, only os.Interrupt (Ctrl+C) is available
		signal.Notify(sigChan, os.Interrupt)
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -26,4 +26,3 @@ Example:
		func init() {
		rootCmd.AddCommand(shCmd)
		}