Cloak – .env on disk has fakes, your editor shows them (CLI and VSCode)

Name: Cloak – .env on disk has fakes, your editor shows them (CLI and VSCode)
Availability: InStock
Author: wam_app

by wam_app·Mar 18, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●●●BangerZero to OneSolve My ProblemWizardry

Agents read sk_test_ fakes on disk while you see real keys in-editor with Touch ID gating.

Strengths

•Solves a problem .gitignore and secret managers don't address at all
•Structurally valid fakes mean agents still write working, testable code
•cloak run injects real vars gated behind Touch ID, agents can't authenticate

Weaknesses

•Early software v0.1.0 may have edge cases with complex env setups
•Only protects .env files, not other secret storage methods

Post Description

I run AI coding agents with full filesystem access daily — Claude Code, Cursor, the works. Last month I realized every one of them has been reading my .env files with real Stripe live keys, database passwords, and AWS credentials. Sent straight to model providers as "context." .gitignore protects git, not disk. Secret managers protect servers, not laptops. Sandboxing the agent kills its usefulness. Nothing stopped a local cat .env from returning real credentials. So I built Cloak. The .env on disk always contains structurally valid fakes — sk_test_ for Stripe, localhost for databases, AWS example keys. Agents read the file, get sandbox values, write perfectly valid code. The VS Code/Cursor extension intercepts file opens and decrypts from an AES-256-GCM vault so you see real values in your editor. On save, it re-encrypts and writes sandbox to disk. cloak run npm start injects real env vars gated behind Touch ID / password — agents can't authenticate. Technical decisions worth discussing:

Rust CLI + TypeScript extension sharing the same vault binary format (CLK magic bytes + version byte for future evolution). Cross-compatibility tested explicitly. Biometric auth as the agent boundary. The insight: agents can read any file but can't provide a fingerprint. Touch ID on macOS, interactive-terminal-only password on Linux/Windows. Non-TTY processes are rejected. Sandbox generation is deterministic — HMAC-SHA256 of project hash + key name produces the same fake value every time. No randomness means no diffs in git, no confusing the agent with changing values. Recovery key (CLOAK-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx) shown once during init, never stored on disk. PBKDF2-SHA256 with 100k iterations protects a recovery file that can reconstruct the keychain key. Same model as disk encryption recovery keys. Zero AI inside. All detection is regex + Shannon entropy. Your secrets never touch a network. No telemetry, no cloud, no accounts.

Open source, MIT licensed. Interested in feedback on the threat model — particularly whether the biometric gate is sufficient or if there are bypass vectors I haven't considered.