The result is envref, a tool that replaces secret values in .env files with ref:// URIs pointing to where the secret actually lives:
# .env — safe to commit APP_NAME=my-app DATABASE_URL=ref://secrets/database_url API_KEY=ref://secrets/api_key
Config stays inline. Secrets stay in your OS keychain (or another backend). envref resolve merges them back together at runtime.
It plugs into direnv, so resolution happens automatically when you cd into a project. The resolve pipeline is optimized for <50ms with 100 variables to keep cd snappy.
Seven backend types: OS keychain (macOS/Linux/Windows — zero setup), a local encrypted vault (age + SQLite, for headless/CI), 1Password, AWS SSM, HashiCorp Vault, OCI Vault, and a plugin protocol for anything else.
It also does layered .env merging with profiles, variable interpolation, schema validation, a doctor command that scans for common .env issues, and `envref run` to inject resolved vars into a subprocess.
The experiment: Single Go binary, built across 77 autonomous agent iterations — ~192M tokens, $170 in API cost, 8 hours 41 minutes of compute time. I defined the goal, set up an agent loop with a backlog, and let it run. Happy to answer questions about that process.
The tool itself may be useful, but treat it as beta.
GitHub: https://github.com/xcke/envref Site: https://xcke.github.io/envref