DevSafe PREVIEW
Security Score
94
All protections active
Backup Coverage
12/12
All repos covered
Lockbox
15
Keys across 5 services
Exposures
0
No leaked secrets

Lockbox

AI-invisible secret storage. Your API keys stay on your machine.

15 keys stored
5 services
AI-invisible
AES-256-GCM
7/7 protections

Vault

Stripe 3 keys
STRIPE_SECRET_KEY sk_live_••••••••
STRIPE_PUBLISHABLE_KEY pk_live_••••••••
STRIPE_WEBHOOK_SECRET whsec_••••••••
OpenAI 2 keys
OPENAI_API_KEY sk-proj-••••••••
OPENAI_ORG_ID org-••••••••
Supabase 4 keys
SUPABASE_URLhttps://••••.supabase.co
SUPABASE_ANON_KEYeyJ••••••••
SUPABASE_SERVICE_KEYeyJ••••••••
DATABASE_URLpostgresql://••••
Resend 2 keys
RESEND_API_KEYre_••••••••
RESEND_DOMAINmail.example.com
Cloudflare R2 4 keys
R2_ACCESS_KEY_ID••••••••
R2_SECRET_ACCESS_KEY••••••••
R2_BUCKET_NAMEdevsafe-backups
R2_ENDPOINThttps://••••.r2.cloudflarestorage.com

Protection Status

Binary format (NUL byte blocks text tools)
AES-256-GCM encryption at rest
.gitignore blocks lockbox files
.claudeignore blocks lockbox files
.cursorignore blocks lockbox files
.copilotignore blocks lockbox files
Process injection (keys never in chat)

Active Grants

STRIPE_SECRET_KEY
a7f3c9d1... 3m 42s remaining
OPENAI_API_KEY
e2b8f4a0... 47s remaining

How It Works

1
Import your secrets
devsafe lockbox import .env

Your .env file gets encrypted into a binary lockbox. The original stays untouched.

2
AI writes safe references
STRIPE_KEY={{LOCKBOX:STRIPE_SECRET_KEY}}

The AI sees placeholder names, never real values. It writes code using references.

3
Run with secrets injected
devsafe lockbox run -- npm start

Secrets are decrypted and injected into the process. Your app runs normally. The AI never sees the values.