Tool v1.13.0 prep: CLI reliability, security hardening, and CI gates

[nasimstg]

Summary

This PR prepares the next tool release with focused commits:

1. CLI exit-code behavior for
   un and quiet error handling in command execution.
2. Core hardening across env parsing, vault handling, zeroization, file permissions, and rotation rollback.
3. CI, contributor workflow, packaging, and release-note updates.

Included changes

• Preserve child exit codes in xenvsync run and avoid duplicate noisy error output.
• Improve env/vault diagnostics and parsing behavior (inline comments, parse error surfacing).
• Expand secret zeroization coverage across decrypt/encrypt paths.
• Ensure decrypted .env files are written with

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
xenvsync	Ready	Preview, Comment	Apr 2, 2026 8:25am

[Copilot]

Pull request overview

This PR prepares the v1.13.0 release by tightening CLI behavior (exit-code propagation + quieter error paths), expanding secret zeroization and file-permission hardening, and adding stronger CI/contributor workflow gates and documentation.

Changes:

• Preserve child-process exit codes for xenvsync run while avoiding noisy/duplicate error output.
• Expand security hardening (more in-memory zeroization; pull writes decrypted env files as 0600; rotation rollback safety).
• Add CI parity tooling (tidy-drift check, coverage threshold, govulncheck, website job) and update docs/examples/packaging for the release.

Reviewed changes

Copilot reviewed 39 out of 41 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
scripts/install-latest-xenvsync.sh	Adds a shared installer script for CI examples to fetch the latest release binary.
scripts/ci-check.sh	Adds local CI-equivalent checks (tidy drift, coverage threshold, vuln scan).
README.md	Updates documented minimum Go version.
packaging/aur/PKGBUILD	Switches AUR packaging to build from git and derive version metadata.
Makefile	Adds discoverable targets (help/test-coverage/ci-check).
main.go	Exits with propagated child exit code when commands return an ExitCodeCarrier.
internal/env/parser.go	Adds stripping of unquoted inline comments in .env values.
internal/env/parser_test.go	Adds test coverage for unquoted inline comment parsing behavior.
internal/crypto/multikey.go	Expands symmetric-key zeroization during multi-key encrypt/decrypt.
flake.nix	Derives Nix package version from git revision when available.
examples/ci/gitlab-ci.yml	Reuses the shared installer script instead of inline curl logic.
examples/ci/github-actions.yml	Reuses the shared installer script instead of inline curl logic.
examples/ci/circleci-config.yml	Reuses the shared installer script instead of inline curl logic.
examples/ci/bitbucket-pipelines.yml	Reuses the shared installer script instead of inline curl logic.
docs/INSTALL.md	Updates minimum Go version documentation.
docs/DEVELOPMENT.md	Adds a contributor workflow guide and local CI parity instructions.
docs/ARCHITECTURE.md	Expands architecture documentation (trust boundaries, flows, repo layout).
CONTRIBUTING.md	Links new docs, updates Go version guidance, and adds CI-check workflow guidance.
cmd/verify.go	Zeroizes decrypted payload; surfaces parse failures in duplicate-key checks.
cmd/verify_test.go	Updates tests for findDuplicateKeys error-returning behavior.
cmd/vaultutil.go	Zeroizes private key material and decrypted plaintext buffers.
cmd/status_test.go	Adds tests for status output expectations.
cmd/run.go	Returns typed quiet exit-code errors and improves signal-forwarding lifecycle; zeroizes plaintext.
cmd/run_test.go	Adds tests for env injection, exit-code propagation, and command-not-found behavior.
cmd/rotate.go	Zeroizes plaintext/serialized data; adds rollback when key write fails.
cmd/root.go	Adds “quiet error” suppression in wrapper error printing.
cmd/push.go	Zeroizes decoded key material after use.
cmd/pull.go	Zeroizes plaintext/output; writes decrypted .env files with mode 0600.
cmd/log.go	Zeroizes decrypted plaintext buffer in best-effort decrypt path.
cmd/init.go	Ensures .gitignore updates match exact entries (avoid substring false positives).
cmd/exitcode.go	Introduces typed exit-code + “quiet” error interfaces/implementation.
cmd/envs_test.go	Adds tests for envs discovery output and sorting.
cmd/envname.go	Uses sort.Strings and improves parse error surfacing for fallback layers.
cmd/doctor.go	Zeroizes decrypted payload during vault decrypt check.
cmd/diff.go	Improves diagnostics for missing files vs parse/decrypt errors.
CHANGELOG.md	Adds v1.13.0 release notes covering new behavior and gates.
.gitignore	Ignores website TypeScript incremental build artifact.
.github/workflows/ci.yml	Adds coverage threshold enforcement, tidy drift check, govulncheck, website job, and tighter release gating.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

stripInlineComment treats a leading # as the start of an inline comment (i == 0), which changes parsing for values that legitimately begin with # (e.g., KEY=#123 currently becomes an empty string). Consider only stripping when the # was preceded by whitespace in the original (untrimmed) value segment, or otherwise require at least one whitespace before # after =. Add/adjust a test case to cover KEY=#123 so this behavior is locked in intentionally.

[Copilot]

cmd.Execute() prints errors itself, but rootCmd.Execute() (Cobra) already prints errors unless SilenceErrors is set. As a result, errors can still be duplicated, and the new “quiet” exit-code errors may still produce output (at least a blank line) from Cobra even when this wrapper suppresses printing. To make the quiet-error mechanism reliable, set rootCmd.SilenceErrors = true (and consider SilenceUsage = true if you don’t want usage on all errors) and keep all printing centralized in cmd.Execute().