Sigyn: Encrypted Environment Manager for macOS

 Finder File Edit View 🔒 [big-service | local] Wed 3:42 PM

sigyn

Local Dev Staging Prod

01 DATABASE_URL database Local ••••••••

02 API_TOKEN auth Local ••••••••

03 REDIS_URL cache Local ••••••••

04 STRIPE_SECRET payments Local ••••••••

05 WEBHOOK_SECRET webhooks Local not set

Features

Stop committing crimes against secrets

Scattered .env files, plaintext tokens in Slack DMs, that one password in a sticky note. sigyn puts all of it in an encrypted local store and injects it straight into your processes.

🔒

AES-256-GCM-SIV

The kind of encryption that makes cryptographers nod approvingly. Nonce-misuse-resistant, authenticated, and the master key never leaves macOS Keychain.

🤚

Touch ID Authentication

One fingerprint. That's the whole auth flow. Falls back to your device password, but never asks you to invent yet another password.

📁

No .env Files

Env vars go straight from the encrypted store into your child process. Nothing touches disk. Nothing leaks into git. Your .gitignore can finally relax.

⌨️

CLI Companion

For the terminal dwellers. List projects, peek at your effective env, and launch processes with secrets injected, all without leaving the shell.

🎯

Multi-Environment

local, dev, staging, prod, all living side by side. Mix and match base presets with per-entry overrides when reality gets messy.

💻

Local-First & Native

Tauri 2 + Rust under the hood. Your data never leaves your machine. No accounts, no cloud, no "we value your privacy" banners.

📌

Menu Bar Visibility

Always-visible system tray shows your active project and environment at a glance. Switch projects, change environments, lock, or reset overrides without opening the window.

Security

Let Apple do the hard parts

Why roll your own auth when macOS already has Keychain and Touch ID? sigyn leans on the OS for the trust-sensitive bits so it doesn't have to.

🔑 Key Hierarchy

macOS Keychain └─ master key (256-bit random, generated once) └─ per-value encryption (AES-256-GCM-SIV) ├─ random 96-bit nonce per encrypt call └─ ciphertext + auth tag → base64 in SQLite

⏱️ Session Management

Walk away from your laptop? The master key evicts itself from memory after 5 idle minutes and zeroizes every byte on the way out. No crumbs left behind.

🛡️ What Gets Encrypted

Data	Encrypted
Entry values (secrets)	Yes
Project names	No
Entry names (keys)	No
Environment labels	No
Categories / descriptions	No

📖 Full Threat Model

The whole story: encryption, auth, file permissions, IPC, CSP, CLI safety, and all the things sigyn deliberately doesn't try to do.

Read SECURITY.md →

CLI

GUI optional, terminal encouraged

The bundled CLI does its own Touch ID check, reads the same encrypted store as the desktop app, and pipes env vars into your process. Omit --project to use the project selected in the desktop app. No shell eval, no intermediate files, no drama.

List projects

$ sigyn list

Preview (selected project)

$ sigyn preview

Run process (selected project)

$ sigyn uv run python -m retail_service

With explicit project

$ sigyn run --project "big-service" -- uv run python -m retail_service

Reset (development only)

$ sigyn reset-test-data --confirm "delete all data"

⚠️ sigyn won't let you shoot yourself in the foot. It refuses to inject PATH, LD_*, DYLD_*, NODE_OPTIONS, and other process-loading vars that could ruin your day.

Install

Clone, build, done

One script handles the whole thing: builds the Tauri app, drops it in /Applications, and symlinks the CLI onto your PATH. Go grab coffee while Rust compiles.

Prerequisites

The usual suspects:

macOS
Node.js + npm
Rust toolchain
Xcode / CLT

Clone & Install

Three lines and a cup of patience:

git clone https://github.com/connorguy/sigyn.git
cd sigyn
./install.sh

Launch

Fire it up from /Applications or Spotlight. Touch ID gets you in.

sigyn --help

Quick Start

Create a project, throw in some secrets, select it in the app, then run:

sigyn npm start