TL;DR: Keyden is a CLI that replaces .env with an AES-256-GCM encrypted vault on your machine. One password, one vault file, no plaintext on disk, nothing for git or your coding agent to read by accident. Local dev only — production should use your platform's secrets manager. npm install -g keyden keyden init keyden set GEMINI_API_KEY keyden run npm start Enter fullscreen mode Exit fullscreen mode Why I designed it My eyes feel the pain, my brain feels the insecurity seeing keys in plaintext on my own machine. And the threat model has gotten worse, not better, in the last two years: Coding agents (Cursor, Claude Code, Copilot) read files into prompts. .env gets pulled in.Public-GitHub scanner bots find sk-... keys within minutes of push. CI runners still echo env blocks into build logs. Teammates still paste production keys into Slack at 2 a.m. For purely local development I wanted something that: encrypts at rest with no extra service.…