[ivannovazzi]

Really like the three-tier classification (PUBLIC/SENSITIVE/SERVER). That's a thoughtful design — most env var solutions treat everything as equally secret or equally public.

The frontend injection problem you're solving is the mirror image of what we deal with on the backend side. We built KeyEnv (keyenv.dev) to handle the server-side piece: secrets stored encrypted, pulled via CLI, and injected as env vars at runtime. No .env files on disk.

The combination is interesting — REP for the browser-facing config, something like KeyEnv for the server-side secrets that feed REP_SERVER_* vars. The HMAC integrity check on the payload is a nice touch, especially for SPAs where someone could tamper with the injected HTML before it hits the client.

One question on the SENSITIVE tier: with the session-key-based decryption, what's the lifecycle of the session key? Is it per-page-load, per-user-session, or something else? That seems like the main variable in the security tradeoff.