Navique

Environment Variable Vault

A local-first encrypted vault for managing environment variables across projects and environments. Multi-select export to .env files, clipboard, or Vercel. Biometric reveal, audit trail, automatic agent injection — secrets never leave the machine.

Last Updated2026-04-06
Categoryguides
Security

Keychain-encrypted secrets. Biometric reveal. Multi-select export to .env files or Vercel — without the LLM ever seeing the values.

Overview

A local-first encrypted vault for managing environment variables across projects and environments. Secret values are stored exclusively in the macOS Keychain — never in any database, log file, or cloud service. Variable metadata lives in the local SQLite database. The vault integrates directly with the Eggspert AI engine so agent tool execution automatically inherits the correct environment variables, exactly like a developer's shell profile. Select multiple variables and export them as a .env file, copy to clipboard, or push directly to Vercel — without the agent or LLM ever seeing the values.

Why This Exists

"Spinning up a new project. I open the vault, select my eight DATABASE_URL, API_KEY, and Stripe variables, hit 'Save as File', and my .env.local is ready in two seconds — comment header included. I hit 'Export to Vercel', pick the project, and all eight land in Vercel's dashboard without me ever pasting a value manually."

Keychain-Encrypted Secrets

Values stored in macOS Keychain under per-entry namespaced keys, encrypted by the OS using the device's hardware security key. Navique's database contains only variable names and metadata — never values. No custom encryption layer, no plaintext on disk.

Multi-Environment Support

Each variable belongs to a specific environment: Development, Staging, Production, or Custom. The active environment is selectable per-session. Switching triggers an immediate re-sync to the Eggspert engine so agents always run with the correct set of variables.

Biometric Reveal Gate

Displaying a plaintext value requires Touch ID or device password every time. Values are never persisted in UI state — loaded on demand and discarded. There is no 'stay revealed' mode. This is intentional.

Value Rotation

A dedicated Rotate action (distinct from Edit) prompts for a new value and a rotation note. The old value is immediately overwritten in Keychain. The audit trail records the rotation event without storing either value. Clean, traceable secret hygiene.

Immutable Audit Trail

Every create, update, rotate, and delete operation appends a history record. Records contain only the operation type, timestamp, and an optional note — old values are never stored anywhere. The trail cannot be used to reconstruct previous values by design.

Project Linking & Auto-Scan

Variables can be linked to one or more projects. When a project has a folder path set, the vault scans .env, .env.*, .env.example, docker-compose.yml, .envrc, and shell scripts for references to known variable names. Suggested links are surfaced as unconfirmed badges — nothing is linked automatically.

.env.example Diff

For any linked project with a .env.example file, the vault computes a live diff: variables present in the example but missing from the vault, and variables in the vault but absent from the example. Shown inline on the project link row and as a badge on the sidebar entry.

Automatic Engine Injection

On vault save, rotate, delete, or engine reconnect, all variables for the active environment are pushed over loopback to the Eggspert engine's shared memory substrate. The tool runner reads these vars before spawning any subprocess and applies them to the child process environment. Shell commands run by agents inherit the correct environment without any per-session setup — and without the LLM ever seeing the values.

Multi-Select Export

Click Select in the vault header to enter multi-select mode. Each row grows a checkbox. Tap any combination of variables — or use Select All — to build your export set. A live count tracks how many are selected. Click Done to exit without exporting.

The right pane transforms into an export action panel showing the selected variable names (no values). One biometric prompt covers the entire batch, regardless of how many variables are selected.

Export to .env File

After authenticating, a standard macOS save panel opens. Name the file anything your project expects — .env, .env.local, .env.development, .env.production. Every exported file starts with:

Code• • •
# ✦ Navique — your secrets, sealed in the Keychain.
# Managed by Navique · navique.app · Keep out of source control.

Followed by KEY=value pairs for each selected variable.

Copy to Clipboard

Copies the same formatted .env block to the clipboard. Values are automatically cleared after 30 seconds. For high-sensitivity values, prefer Save as File over clipboard.

Export to Vercel

Push selected variables directly to any connected Vercel project via the Vercel API.

  1. Pick the target Vercel project from a dropdown of your connected projects.
  2. Choose which environments to apply the variables to: Production, Preview, Development (all on by default).
  3. Review the list of key names that will be pushed — values are never shown in this confirmation step.
  4. Authenticate once. The batch push runs sequentially, catching individual failures without stopping the rest.
  5. A results view shows per-variable ✓ or ✗ with a brief error message for any that failed (e.g. duplicate key).

The Export to Vercel button is disabled and grayed out when Vercel is not connected. Connect it in the Integrations Hub first.

Tags & Search

Variables support free-form tags and are searchable by name, description, or tag. Filter by environment, project, or tag to find the variable you need across hundreds of entries.

Related

Related in guides

Keyboard ShortcutsSettings & Configuration
PreviousFocus ModeNext AI Assistant