Keychain-encrypted secrets. Biometric reveal. Multi-select export to .env files or Vercel — without the LLM ever seeing the values.
A local-first encrypted vault for managing environment variables across projects and environments. Secret values are stored exclusively in the macOS Keychain — never in any database, log file, or cloud service. Variable metadata lives in the local SQLite database. The vault integrates directly with the Eggspert AI engine so agent tool execution automatically inherits the correct environment variables, exactly like a developer's shell profile. Select multiple variables and export them as a .env file, copy to clipboard, or push directly to Vercel — without the agent or LLM ever seeing the values.
“Spinning up a new project. I open the vault, select my eight DATABASE_URL, API_KEY, and Stripe variables, hit 'Save as File', and my .env.local is ready in two seconds — comment header included. I hit 'Export to Vercel', pick the project, and all eight land in Vercel's dashboard without me ever pasting a value manually.”
Values stored in macOS Keychain under per-entry namespaced keys, encrypted by the OS using the device's hardware security key. Navique's database contains only variable names and metadata — never values. No custom encryption layer, no plaintext on disk.
Each variable belongs to a specific environment: Development, Staging, Production, or Custom. The active environment is selectable per-session. Switching triggers an immediate re-sync to the Eggspert engine so agents always run with the correct set of variables.
Displaying a plaintext value requires Touch ID or device password every time. Values are never persisted in UI state — loaded on demand and discarded. There is no 'stay revealed' mode. This is intentional.
A dedicated Rotate action (distinct from Edit) prompts for a new value and a rotation note. The old value is immediately overwritten in Keychain. The audit trail records the rotation event without storing either value. Clean, traceable secret hygiene.
Every create, update, rotate, and delete operation appends a history record. Records contain only the operation type, timestamp, and an optional note — old values are never stored anywhere. The trail cannot be used to reconstruct previous values by design.
Variables can be linked to one or more projects. When a project has a folder path set, the vault scans .env, .env.*, .env.example, docker-compose.yml, .envrc, and shell scripts for references to known variable names. Suggested links are surfaced as unconfirmed badges — nothing is linked automatically.
For any linked project with a .env.example file, the vault computes a live diff: variables present in the example but missing from the vault, and variables in the vault but absent from the example. Shown inline on the project link row and as a badge on the sidebar entry.
On vault save, rotate, delete, or engine reconnect, all variables for the active environment are pushed over loopback to the Eggspert engine's shared memory substrate. The tool runner reads these vars before spawning any subprocess and applies them to the child process environment. Shell commands run by agents inherit the correct environment without any per-session setup — and without the LLM ever seeing the values.
Enter select mode with a single click to tick any combination of variables across environments. A Select All / Deselect All shortcut and a live count make bulk selection fast. One biometric prompt authenticates the entire batch — not once per variable.
After biometric authentication, a standard macOS save panel lets you write the selected variables to any filename: .env, .env.local, .env.development, .env.production — whatever the project expects. Every exported file includes a comment header noting it's managed by Navique and should stay out of source control.
Copies the selected variables as a formatted .env block — comment header included — to the clipboard. Values are automatically cleared after 30 seconds. Standard secret hygiene without the manual paste.
Push selected variables directly to any Vercel project via the Vercel API. Choose the target project and which environments (Production, Preview, Development) to apply them to. The sheet shows a confirmation list of key names before authenticating, pushes the batch, and reports per-variable success or failure — without stopping on partial errors.
Copied values are automatically cleared from the clipboard after 30 seconds. Standard secret hygiene. For high-sensitivity values, prefer the reveal-only workflow over copy.
Variables support free-form tags and are searchable by name, description, or tag. Filter by environment, project, or tag to find the variable you need across hundreds of entries.