§ 00·0x00/STACK / SECRETS
COMING SOON
Secrets without the .env.
Every secret encrypted at the field level. Accessible only to the right identity, at the right time. Cryptographically isolated environments. Full audit trail.
Never accidentally leak a secret again. Secrets is currently in development. Join the waitlist to get early access.
§ 01·0x01/CAPABILITIES / WHAT YOU GET
Six things your .env can’t do.
→ 01
Type-safe SDK
TypeScript-first API that knows your secret schema. No stringly-typed keys, no runtime surprises, no stray `.env` files in your git history.
→ 02
Cryptographic isolation
Each environment (dev, staging, prod) gets its own keyset. Provable separation between tenants and between environments, enforced by the math, not by policy.
→ 03
Identity-bound access
Secrets decrypt only for the identity that is authorized to read them. Machines, humans, and CI pipelines all carry distinct client credentials.
→ 04
CLI management
Terminal-first ergonomics. Create, rotate, revoke, and inspect secrets from the same shell you deploy from.
→ 05
Full audit trail
Every read of every secret is logged with who, what, when, from where, and under what identity. Immutable by construction.
→ 06
Bulk operations
Rotate, migrate, and batch-fetch secrets without decrypting every value in memory. Keysets move atomically.
§ 02·0x02/HOW IT WORKS / LIFECYCLE
Four steps from `.env` to forever.
01
Define
Declare your secrets schema once. The SDK is type-safe from the moment you call it.
02
Store
Secrets go into a cryptographically isolated environment. Every value is encrypted at the field level, never on disk in plaintext.
03
Resolve
Your application (or CI pipeline) resolves secrets at runtime with its identity-bound client credentials. No `.env` files, no leaked tokens.
04
Audit
Every access is recorded. When the auditor asks who saw the production database password last Thursday at 3 a.m., you have proof.
∞
Audit trail
0
Plaintext at rest
100%
Identity-bound
§ 03·0x03/SHIP / BUILD
Move your secrets off disk. Today.
Install the CipherStash stack, declare your first secret, and delete your `.env` file. Every secret you ship from now on is encrypted at the field level, audited by default, and bound to an identity that can be revoked in one call.