Your secrets, invisible to AI.
CloakEnv is a local-first desktop app and CLI for development secrets. It keeps secrets encrypted in a local vault, asks for approval before sensitive reads, and injects approved values into local processes without relying on plaintext .env files.
If you are evaluating the project for the first time, start with Quick Start.
- Stores secrets in an encrypted local vault.
- Backs up vault changes to an encrypted
.cloakedfile in a folder you choose. - Serves approved secrets to local processes through a local provider socket or named pipe.
- Lets you run existing commands through
cloakenv run -- .... - Supports shared
.env.schemafiles in@env-specformat. - Works with direct CloakEnv usage and the Varlock integration path in this repo.
The repo already includes:
- A desktop app built with ElectroBun and a React UI.
- A standalone
cloakenvCLI. - Local provider mode with desktop approvals or terminal approvals.
- Project detection, scoped environments, audit logs, backup/import/export, and schema workflows.
- Varlock bridge packages in
packages/varlock-adapterandpackages/varlock-helper.
What it is not:
- A hosted secret manager.
- A cloud sync service.
- A replacement for every runtime feature in Varlock.
- Launch the CloakEnv app.
- Complete onboarding:
- choose a backup directory
- set an auto-backup passphrase
- optionally install the bundled
cloakenvcommand into yourPATH - optionally import existing plaintext
.envfiles
- Open a terminal in your project and use the CLI examples below.
Packaged desktop builds can install and update an app-managed cloakenv command for you.
Requirements:
- Bun
- macOS, Linux, or Windows
Install dependencies:
bun installRun the desktop app:
bun run devUse the CLI from source:
bun run cli -- --helpBuild the standalone CLI:
bun run cli:build
./apps/cli/dist/index.js --helpBuild release artifacts:
bun run release:buildArtifacts are written to artifacts/.
CloakEnv publishes desktop installers, updater feeds, and standalone CLI binaries through GitHub Releases.
Release rules:
- the source of truth is the root
package.jsonversion - a Git tag must match that version in
vX.Y.Zform - stable release builds point their updater at:
https://github.com/<owner>/<repo>/releases/latest/download bun run release:buildderives that feed automatically from theoriginGit remote- set
CLOAKENV_RELEASE_BASE_URLexplicitly if you need a different release feed
To cut the first stable release:
git tag v1.0.6
git push origin v1.0.6The release workflow will:
- validate that the pushed tag matches
package.json - build Linux and Windows release artifacts
- upload them to a GitHub Release named after the tag
- publish stable updater assets that the in-app updater can fetch from the latest release
macOS release assets are published from a local macOS build so the same artifacts/ files you validated on your machine are the ones attached to GitHub Releases.
After running:
bun run build:installersupload the local macOS artifacts to the tag release with:
bun run release:upload:macos -- v1.0.6That command uploads the macOS .dmg, updater files, standalone CLI, manifest, and any generated macOS patch file from artifacts/ to the existing GitHub release. It will refuse to upload if the packaged app does not contain an updater release feed URL.
For a public macOS GitHub release, the packaged app also has to pass syspolicy_check distribution. In practice that means:
- the bundle must be signed correctly
- the build must be suitable for distribution, not just local execution
- the app must have a notarization ticket stapled before upload
All CLI examples below assume cloakenv is available in your shell. If you are running from a source checkout and have not installed the CLI into your PATH yet, replace:
cloakenv ...with:
bun run cli -- ...The easiest first run is:
cloakenv initcloakenv init will:
- require a backup directory
- require an auto-backup passphrase when auto-backup is enabled
- detect the current project when possible
- optionally bootstrap from
.env.schemaif the file exists
After that:
cloakenv set DATABASE_URL=postgres://localhost:5432/mydb
cloakenv listTo run your app with approved secret injection:
cloakenv run -- npm run dev
cloakenv run -- python manage.py runserver
cloakenv run -- go run ./cmd/apicloakenv run requires the desktop app to be running, or a foreground provider in another terminal:
cloakenv provider startUseful diagnostics:
cloakenv provider status
cloakenv provider expire --allStore or update a secret:
cloakenv set API_KEY=your-secretRead one secret with approval:
cloakenv get API_KEYList keys:
cloakenv listList keys and values with approval:
cloakenv list --show-valuesInspect audit history:
cloakenv audit --limit 20Generate a strong passphrase:
cloakenv generate-passphraseIf you already have plaintext .env files, the desktop onboarding flow and project UI can detect and import them into the vault. After import, the app can move the original plaintext files to trash.
That is the recommended migration path for a first-time user coming from .env, .env.local, or similar files.
CloakEnv tries to detect the current project from:
- a
.cloakenvmarker file - a Git root
- a supported manifest such as
package.json,pyproject.toml,Cargo.toml,go.mod, orbunfig.toml
If detection is wrong or you are inside a monorepo, use explicit project commands:
cloakenv project create my-app
cloakenv project list
cloakenv project switch my-appScopes let you separate values such as default, development, test, or .env.local:
cloakenv set --scope test API_KEY=test-secret
cloakenv run --scope test -- bun testEvery mutating workflow expects a configured backup directory. Backups are encrypted .cloaked files.
Export:
cloakenv export --output ./vault.env.cloakedImport:
cloakenv import ./vault.env.cloakedConfiguration helpers:
cloakenv config backup-path /path/to/backups
cloakenv config backup-passphrase
cloakenv config show
cloakenv config provider-session 15CloakEnv supports the @env-spec schema format used by .env.schema.
Export a schema from the current project:
cloakenv schema exportImport an existing schema:
cloakenv schema importCompare stored schema metadata with a file:
cloakenv schema diffValidate stored values:
cloakenv schema validateImported schema entries are stored even when no secret value exists yet, so the UI and CLI can manage schema-only fields.
CloakEnv and Varlock are meant to be complementary:
- CloakEnv owns local encrypted storage, approval, audit, and provider access.
- Varlock remains the schema-driven runtime layer.
@env-specis the shared contract.
Supported integration paths in this repo:
cloakenv run -- ...around an existing app command@cloakenv/varlock-adapterfor Node-based bootstraps@cloakenv/varlock-helperfor schema-drivenvarlock runworkflows
See docs/varlock-integration.md for full examples.
Developer or local adapter
|
v
CloakEnv CLI / client
|
v
Local provider socket or named pipe
|
v
Desktop approval dialog or terminal approval
|
v
Encrypted local vault
|
v
Approved child process / approved env map
In the normal desktop flow, the app owns the approval boundary. In headless or fallback usage, cloakenv provider start hosts the same provider contract with terminal approvals.
| Layer | Protection |
|---|---|
| Encryption at rest | AES-256-GCM |
| Key derivation | scrypt + HKDF-SHA256 |
| Local key storage | OS keychain / secret service / credential manager |
| Transport | Unix domain socket or Windows named pipe |
| Approval | Native approval in desktop mode, terminal approval in foreground provider mode |
| Audit | Request and decision logging |
| Primary defense | No plaintext .env file in normal CloakEnv workflows |
Local storage paths used by default:
- Vault database:
~/.config/cloakenv/vault.db - Provider endpoint on Unix:
~/.config/cloakenv/provider.sock
Run tests:
bun test --recursiveTypecheck:
bun run typecheckLint:
bun run lintRepo layout:
cloakenv/
├── apps/cli/ # CLI entrypoint
├── apps/web/ # Desktop UI
├── packages/core/ # Vault, crypto, provider client/types, schema support
├── packages/varlock-adapter/ # Node adapter for Varlock-style bootstraps
├── packages/varlock-helper/ # Helper CLI for schema-driven Varlock workflows
└── src/bun/ # Desktop main process and local provider service
- docs/provider-api.md
- docs/provider-client-contract.md
- docs/reference-examples.md
- docs/varlock-integration.md
- docs/kdf-benchmark.md
MIT. See LICENSE.