Avora Secrets
A VS Code extension that syncs project .env files between collaborators through
your Avora dashboard — Git-style pull / push / sync, but for secrets, and
routed through your dashboard instead of git.
Backend moved into the PMS. Env Sync is now a first-class Avora App Store
app: the backend lives in the FastAPI PMS (be/app/.../envsync.py) and is managed
at Dashboard → Workspace → App Store → Env Sync. The extension authenticates
with an Avora Personal Access Token (generated on that page) and talks to
/(api/v1)/envsync/.... The Django backend/ is the original reference
implementation — deprecated, kept for history, not deployed.
VS Code Extension PMPS Dashboard (source of truth)
───────────────── ────────────────────────────────
1. Sign in (reuse dashboard token)
2. See your projects + collaborators
3. Pull ◀────────── writes the project .env to a local file
4. Edit .env → row flips to "local changes • push"
5. Push ──────────▶ saves a new version on the dashboard
6. Sync ◀────────▶ reconciles your changes with collaborators'
⚠️ .env files hold secrets. They sync through the backend, never through git.
The extension auto-adds the linked file to .gitignore, the backend encrypts
every value at rest, and only project members can pull/push.
Repo layout
src/ — the VS Code extension (TypeScript). Build with npm run build.
backend/ — deprecated Django reference app (envsync), superseded by the
FastAPI module in the PMS (be). See backend/README.md for the original design.
Run the extension (dev)
npm install
npm run build # or: npm run watch
Fastest path: start the test server (backend/README.md), then in VS Code pick
the “Run Extension (auto-connect to test server)” launch config and press F5.
It opens a sample workspace and auto-fills the dashboard URL + a dev token (from
.vscode/launch.json) — no manual sign-in. Your projects appear immediately in the
PMPS Env Sync view with inline pull / push / sync icons.
To connect to your own backend instead, use “Run Extension (clean)” then:
PMPS: Set Dashboard URL → your backend base URL.
PMPS: Sign In → paste your dashboard access token.
Environments (env folders)
A project can have multiple environments — e.g. ranking-be → local,
staging, production from its env/ folder. The tree shows
project → environment rows → Collaborators, and pull/push/sync act per
environment. Map each environment to its file via pmps.envFileMap in the
workspace settings, e.g. "ranking-be/staging": "ranking-be/env/staging.env".
Projects with a single file just use one default environment.
How sync state is shown
| Row badge |
Meaning |
Action shown |
synced ✓ |
local == last pull == dashboard |
sync |
local changes • push |
you edited .env |
push |
update available • pull |
a collaborator pushed |
pull |
diverged ⚠ |
both changed |
sync (last-write-wins, both kept in history) |
not linked |
no local file bound yet |
pull |
A file watcher flips a project to push the moment you edit its .env. Live
updates arrive over a WebSocket — a dashboard/collaborator push pulls into your
clean local file instantly (if you have unsaved edits, it warns you to Sync). A
poll (default 60s, pmps.autoRefreshSeconds) is the fallback when the socket is down.
Settings
pmps.serverUrl — dashboard base URL.
pmps.autoRefreshSeconds — poll interval (0 disables).
pmps.envFileName — default file name a pulled env is written to (.env).
Conflict handling
Each push declares the version it was based on. If the dashboard moved ahead, the
backend returns 409 and the extension offers: keep mine (push over), take
remote, or open a diff. Nothing is lost — every version stays in history.
Roadmap (next)
Per-key diff/merge for conflicts, named environments (dev/staging/prod), audit log
view, and one-click rollback to a prior version. (Live WebSocket sync is already
built — see above.)