Write a custom variable source
Custom variable sources are for teams that need values from a source Configorama does not ship with, such as an internal secret store or deployment registry. This guide shows the shape of a source and where safe mode changes the trust model.
The extension point exists so the core resolver can stay framework-agnostic. Instead of adding every possible platform source to Configorama itself, applications can provide a small source object with a type, match rule, and async resolver function.
const configorama = require('configorama')
const vault = {
type: 'vault',
source: 'remote',
prefix: 'vault',
match: /^vault:/,
resolver: async variable => {
const key = variable.replace(/^vault:/, '')
return `value-for-${key}`
}
}
await configorama('config.yml', { variableSources: [vault] })Custom variable sources are blocked by safe mode because they are user-provided executable code. Audit output reports them as custom_extension risk.
Read variable sources for built-in resolver behavior and security policies for safe-mode controls. For API details, see the API reference.