EnvVault

Local-first dotenv inspection, comparison, secure metadata management, and runtime profile workflows for macOS developers.

Read Documentation Install Free App

Free macOS appLocal-first on macOSRaw secrets in macOS KeychainApp installer, no source checkoutOptional App LockApp-managed CLI for profile-backed commands

EnvVault

API Server

~/Projects/api-server

82Security score

VariablesCompareRuntimeSecurity

Key	Value	Source	Status
DATABASE_URL	postgres://user:****@db.internal:5432/app	.env.local	Sensitive
API_KEY	sk_live_************************	.env.local	Sensitive
NEXT_PUBLIC_APP_URL	https://app.example.test	.env	OK
FEATURE_BILLING	true	.env	OK
STRIPE_WEBHOOK_SECRET	whsec_************************	.env.production	Sensitive
LOG_LEVEL	info	.env	OK

Runtime profile differs from linked dotenv file

App Pages

Every route in the EnvVault desktop app has a dedicated documentation page.

Dashboard

Live project table, selected file preview, comparison summary, and security score.

View docs Projects

Project detail, env files, runtime profiles, connector config, sync, recovery, and history.

View docs Variables

Switch between env-file variables and runtime profile variables for search, filtering, reveal, copy, edit, and validation workflows.

View docs Compare

Side-by-side matrix for missing, empty, duplicate, matching, and secret variables.

View docs Security

Security score and warnings for dotenv files, profiles, imports, and connector config.

View docs Settings

Theme, confirmations, App Lock, backups, audit activity, demo reset, and runtime CLI installer.

View docs About

Version, author, local security boundary, and app identity details.

View docs

Feature Coverage

Where each EnvVault capability appears across the app and CLI documentation.

Capability	Dashboard	Projects	Variables	Compare	Security	Settings	CLI
Add local project folders			-	-	-	-	-
Import supported dotenv filenames						-	-
Parse keys, values, comments, duplicates, invalid lines, and line numbers	-					-	-
Mask, reveal, copy, edit, delete, and reclassify variables		-		-		-	-
Store raw secret values in macOS Keychain	-			-		-
Protect the running app with optional App Lock	-	-	-	-			-
Switch Variables page between env files and runtime profiles	-			-		-
Persist metadata, previews, hashes, notes, and Keychain refs in SQLite
Compare env files and environments		-	-		-	-	-
Generate blank .env.example output	-		-	-	-	-	-
Export dotenv files with confirmation			-	-	-	-	-
Mirror dotenv files into runtime profiles	-		-	-		-
Create, edit, rename, delete, and restore runtime profile variables	-		-	-		-
Track approval, reviewer, rotation, and external provider references	-		-	-		-	-
Create and refresh safe .envvault.json connector config	-		-	-		-
Ignore, review, and restore security warnings		-	-	-			-
Install, repair, uninstall, inspect, and run doctor for envvault CLI	-	-	-	-	-
Record audit activity without raw secret values	-			-	-		-
Export metadata-only and explicit full encrypted backups	-	-	-	-			-

Security Model

EnvVault is intentionally local-first. The desktop app keeps raw secrets out of SQLite and uses Keychain-backed references for sensitive values.

Raw secret values should live in macOS Keychain, not SQLite.
Optional App Lock can hide project metadata until local unlock succeeds.
Audit logs store action names, timestamps, project IDs, and file/key targets without raw secret values.
Secret clipboard copies are scheduled to clear after 60 seconds.
External provider metadata stores provider names and references, not third-party credentials.

Read the security model

Local Data Flow

Env filesEnvVaultKeychain

SQLite metadataRuntime profilesCLI run

Secrets stay local; metadata remains inspectable and auditable.

Runtime Connector CLI

The app-managed envvault command can print, validate, and inject EnvVault profile variables into local commands after resolving secret values from macOS Keychain.

envvault doctor
envvault profiles
envvault validate --project <project> --profile <profile>
envvault run --profile development -- npm run dev

Release Status

Current version: 0.22.0

EnvVault is provided as a free macOS app.
Source code is not included with the free app distribution.
Version 0.22.0 adds ignored security warning review and restore workflow.
Original MVP phases are complete.
Runtime connector phases 1 through 13 are complete.

View release notes