🗂️
Organized by hierarchy
Project → environment → secret, not by folder. Find any value in seconds.
Lightweight · local-first · written in Rust
Your dev secrets,
Your dev secrets,
organized by project
— not scattered .env files.
dev-secrets is a tiny, local-first, Telescope-style terminal UI (and full CLI) that keeps all your development values in one place — grouped by project → environment → secret — and exports the right set on demand. No daemon, no cloud, no account.
$
brew install peterkracik/tap/devsecrets
- 🪶 Single tiny binary
- 🔌 100% offline
- 🔭 Fuzzy TUI
- ⌨️ Full CLI parity
╭─ Secrets ─────────────────────────────────────╮ │ / db_ │ ├──────────────────────┬────────────────────────┤ │ v api (2 env) │ DB_HOST = localhost │ │ - dev * 3 keys │ DB_PORT = 5432 │ │ - prod 3 keys │ URL = $ref:DB_HOST │ │ > web (1 env) │ │ │ > infra (3 env) │ preview - s reveals │ ├──────────────────────┴────────────────────────┤ │ / filter n new x export ? help │ ╰───────────────────────────────────────────────╯
Centered, bounded floating window · fuzzy filter · live preview
Built for local development — not a production secrets manager
The store is plain, human-readable JSON on your disk and is not encrypted. Keep it to local, non-sensitive test values — localhost URLs, dummy keys, dev ports — and never real production credentials.
🪶
One small binary
A single self-contained executable. No runtime, no system libraries to install.
🔌
100% local
Everything stays on your disk as plain JSON. No cloud, no account, fully offline.
⚡
Instant & quiet
Starts immediately, no background daemon or service running on your machine.
🦀
Built in Rust
Fast, dependency-free, and portable across macOS, Linux and Windows.
😵💫 The usual mess
Several projects, each with a few environments
(dev, staging,
prod, a teammate's setup…). You end up with
.env files copied between folders, slowly drifting
out of sync — and no idea which one is current.
✨ One organized store
Project e.g. "api" └─ Environment "dev", "staging", "prod" └─ Secrets KEY = VALUE pairs
Sit down to work, export the right set on demand:
$ devsecrets export .env
See it in action
A 90-second tour of organizing, referencing and exporting your dev secrets.
Everything in its place
One small tool for organizing, referencing, importing and exporting local dev values.
🔭
Telescope-style TUI
Centered floating window, fuzzy search across projects and envs, live preview pane.
⌨️
Full CLI parity
Every action is scriptable — fits Makefiles, CI steps and entrypoints just as well.
🔗
Value references
Write ${project.env.KEY} to reuse a value. Resolved recursively, with cycle detection.
📌
Folder assignments
devsecrets setup binds a folder to a project/env, so export "just knows" what to use.
📥
Import & export
Pull in existing .env files (merge or replace); export to env, shell, JSON or TOML.
📋
Clipboard & OSC 52
Copy a single value or a whole environment — works over SSH and tmux too.
📝
Plain JSON store
Human-readable, diffable, easy to back up. Key order is preserved so diffs stay clean.
A TUI that feels like Telescope
Run devsecrets with no arguments. Projects and their
environments share one tree, so fuzzy navigation is instant. A match
on an environment keeps its project header visible; a match on a
project keeps all of its environments.
- / Fuzzy-filter projects & environments
- → Expand a project / open an environment
- n New environment or secret
- x Export · i Import · c Copy
- s Reveal / hide secret values
- ? Help overlay · q Quit
╭─ api / dev ─────────────────────────────────╮ │ / _ │ ├──────────────────────┬──────────────────────┤ │ DB_HOST │ DB_HOST │ │ DB_PORT │ type: text │ │ URL -> $ref:DB_HOST │ │ │ API_KEY ******** │ localhost │ │ │ │ ├──────────────────────┴──────────────────────┤ │ e edit g goto ref s reveal esc │ ╰─────────────────────────────────────────────╯
Quick start
From zero to a loaded .env in three commands.
1
Assign your folder
A short wizard picks (or creates) a project and environment and remembers this folder.
# in your project folder $ cd ~/code/api $ devsecrets setup
2
Add some secrets
Set values from the CLI — or press n in the TUI.
$ devsecrets secret set \ -p api -e dev DB_HOST localhost $ devsecrets secret set \ -p api -e dev DB_PORT 5432
3
Export on demand
No flags needed — this folder is assigned, so export just knows.
$ devsecrets export .env # writes this folder's env
…or just run devsecrets and do all of the above interactively.
References: share a value, store it once
A value can point at another secret, so a shared value lives in exactly one place. Three forms, depending on how much context you need — resolved relative to where the value lives.
${SECRET}same project, same environment${env.SECRET}same project, another environment${project.env.SECRET}anywhere in the store
Resolved at export time · nestable · cycles & missing targets are detected.
$ devsecrets secret set -p api -e dev DB_HOST localhost $ devsecrets secret set -p api -e dev URL 'http://${DB_HOST}:5432' $ devsecrets secret set -p api -e prod URL 'https://${dev.DB_HOST}/api' $ devsecrets secret set -p api -e dev DSN '${infra.prod.DATABASE_URL}' $ devsecrets secret get -p api -e dev URL → http://localhost:5432
Install
A single self-contained binary called devsecrets. No system libraries, no runtime.
🍺 Homebrew recommended
$
brew install peterkracik/tap/devsecrets
macOS / Linux · upgrade with brew upgrade devsecrets
⬇️ Prebuilt binary
$
curl -L …/releases/latest/…tar.gz | tar xz
Linux · macOS (Intel & Apple Silicon) · Windows .zip on the Releases page.
🦀 From source (Cargo)
$
cargo install --git …/dev-secrets.git
Requires Rust 1.74+ — the only build dependency.
Stop hunting for the right .env.
A tiny local tool, a fast TUI, and a CLI that scripts.