NerdoVault

NerdoVault is a small macOS-first CLI for storing project secrets locally, unlocking them with macOS user presence, and injecting scoped env vars only into the process that needs them.

May 2026MIT

Status: active
Platform: macOS
Language: Rust
Link: GitHub

Secrets need a better local path now.

Coding agents are useful precisely because they can read the workspace. That same power makes plain .env files feel increasingly awkward.

NerdoVault keeps the useful local developer flow while moving secret values out of repo files, making committed manifests metadata-only, and keeping runtime injection easy enough that writing a new .env file becomes the weird path.

$brew tap nonstopdevelopment/nerdovault https://github.com/nonstopdevelopment/nerdovault$brew install nerdovault$nerdovault init$nerdovault import -p myapp .env$nerdovault guard install$nerdovault -p myapp -- npm run dev

What shipped.

Local encrypted vault

Projects, aliases, audit metadata, and encrypted secret values live in a local SQLite vault under ~/.nerdovault, with 0700 vault-directory permissions and 0600 database permissions on Unix/macOS.

Keychain-backed master key

A single NerdoVault-owned master key is stored in the macOS Keychain. Secret access is gated by LocalAuthentication user presence, with Touch ID support when available.

Safe repo manifest

.nerdovault.toml is safe to commit because it contains project names, required environment names, and alias links, never secret values.

.env migration flow

Import existing .env files into a project, preview keys, warn on duplicates, and leave the source file untouched so cleanup stays explicit.

Runtime injection

Run commands or shells with project-scoped env vars injected into the child process without writing secrets back to disk.

Shared aliases

Link multiple project env names to one shared alias so rotating a key once updates every linked project at runtime.

Doctor diagnostics

Doctor checks Keychain state, auth policy, biometric availability, vault permissions, manifest drift, missing keys, and alias health.

Scan and guard rails

Scan detects .env files and obvious secret assignments. Guard installs a local pre-commit hook to block .env files and likely secrets before they leave the machine.

Homebrew and completions

The project ships a Homebrew formula and completion generation for common shells. v1 remains macOS-first because unlocks depend on macOS Keychain and LocalAuthentication.

Security notes.

Default reads are redacted; raw values require an explicit reveal or runtime injection path.
Encrypted values use fresh nonces and associated data so values are tied to the intended project key or alias identity.
Interactive secret entry should use the hidden prompt or --stdin; --value warns because command-line values can be captured by shell history or process listings.
Metadata such as project names, env var names, alias names, and audit events is intentionally visible locally for speed, autocomplete, and manifest checks.
This is intentionally not a cloud sync, CI distribution, team sharing, backup, or malware-resistance product in v1.
Deleting the Keychain master key makes the local encrypted vault unrecoverable until a future recovery feature exists.

Code and docs.

Regular use Storage model Threat model Manual QA Changelog