Secret-keystore – KMS-encrypted .env that never touches process.env
KMS encryption that keeps secrets out of process.env entirely.
The contract for your .env — validate it, catch drift, never commit a secret. 100% local.
KMS encryption that keeps secrets out of process.env entirely.
Touch ID auth and Keychain integration beat 1Password's env tool on local-first workflow.
Solves a real CI/CD pain, but dotenv validation already exists (python-dotenv, pydantic).
Proxy tokens worthless if leaked, real keys never enter LLM context windows.
Stops AI tools from reading .env files by never storing secrets as plaintext on disk.
Makes secure path faster than Slack for sharing secrets—age encryption, SPAKE2, self-hostable.