Security Model

Local-first boundary

• Raw secret values should live in macOS Keychain, not SQLite.
• SQLite stores project paths, env file records, key names, status, warnings, value previews, value hashes, notes, and Keychain references.
• Ignored security warnings are stored as local project metadata and do not contain raw secret values.
• Audit logs store action names, timestamps, project IDs, and file/key targets, but not raw secret values.
• External provider metadata stores provider names and references only. EnvVault does not store third-party provider credentials or sync with provider APIs.

App Lock boundary

• Optional App Lock hides the EnvVault UI and project metadata until the local unlock succeeds.
• App Lock uses an Argon2id passphrase verifier stored through named Keychain storage.
• macOS unlock uses Apple's LocalAuthentication prompt when enabled.
• App Lock is not a replacement for FileVault or a fully encrypted SQLite metadata database.

Secret detection

• Key-based detection includes names such as SECRET, TOKEN, PASSWORD, PRIVATE, KEY, API_KEY, DATABASE_URL, JWT, AUTH, CREDENTIAL, ACCESS, REFRESH, CLIENT_SECRET, STRIPE_SECRET, WEBHOOK_SECRET, SESSION_SECRET, and ENCRYPTION_KEY.
• Public prefixes are treated specially: NEXT_PUBLIC_, VITE_, PUBLIC_, NUXT_PUBLIC_, and REACT_APP_.
• Value-based detection catches credential-bearing URLs, Stripe keys, Slack tokens, private key blocks, and long token-like values.

Clipboard safety

Secret copy actions use the Tauri clipboard manager and schedule clipboard clearing after 60 seconds.

Content Security Policy

The Tauri app uses a restrictive CSP that limits sources for default content, scripts, styles, images, fonts, objects, base URI, and frame ancestors.