frontpage.

Show HN: Cloak – .env on disk has fakes, your editor shows them (CLI and VSCode)

https://getcloak.dev

1•wam_app•1h ago

I run AI coding agents with full filesystem access daily — Claude Code, Cursor, the works. Last month I realized every one of them has been reading my .env files with real Stripe live keys, database passwords, and AWS credentials. Sent straight to model providers as "context." .gitignore protects git, not disk. Secret managers protect servers, not laptops. Sandboxing the agent kills its usefulness. Nothing stopped a local cat .env from returning real credentials. So I built Cloak. The .env on disk always contains structurally valid fakes — sk_test_ for Stripe, localhost for databases, AWS example keys. Agents read the file, get sandbox values, write perfectly valid code. The VS Code/Cursor extension intercepts file opens and decrypts from an AES-256-GCM vault so you see real values in your editor. On save, it re-encrypts and writes sandbox to disk. cloak run npm start injects real env vars gated behind Touch ID / password — agents can't authenticate. Technical decisions worth discussing:

Rust CLI + TypeScript extension sharing the same vault binary format (CLK magic bytes + version byte for future evolution). Cross-compatibility tested explicitly. Biometric auth as the agent boundary. The insight: agents can read any file but can't provide a fingerprint. Touch ID on macOS, interactive-terminal-only password on Linux/Windows. Non-TTY processes are rejected. Sandbox generation is deterministic — HMAC-SHA256 of project hash + key name produces the same fake value every time. No randomness means no diffs in git, no confusing the agent with changing values. Recovery key (CLOAK-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx) shown once during init, never stored on disk. PBKDF2-SHA256 with 100k iterations protects a recovery file that can reconstruct the keychain key. Same model as disk encryption recovery keys. Zero AI inside. All detection is regex + Shannon entropy. Your secrets never touch a network. No telemetry, no cloud, no accounts.

Open source, MIT licensed. Interested in feedback on the threat model — particularly whether the biometric gate is sufficient or if there are bypass vectors I haven't considered.

Cesar Chavez, a Civil Rights Icon, Is Accused of Abusing Girls for Years

Redpanda pushes the envelope on Nvidia Vera

Is Spotify's AI 'killing' Australian music?

Pimco Sees Private Credit Strains Triggering Wake-Up Call on Liquidity Risks

570k Lines of LLM Code Compiled Fine. It Was 20,171x Slower Than SQLite

Ask HN: How is your company managing internal AI agents?

Is there an AI garage startup path?

Show HN: Atria – terminal UI for managing multiple coding agents

Who want's to buy this anonymous messaging site in 1000 rupees

Polymarket gamblers threaten Israeli journalist over missile strike story

Show HN: WattSeal – PC power consumption monitor

Deno Employees Leave

The Vibe Thinker Bible

DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors

Users hate it, but age-check tech is coming

Autoproto – minimal C++ MTProto client library stripped from TDLib

Rapper Afroman's trial over using raid footage in music video enters second day

Geely Eyes Canadian Auto Market After Deal Allowing Chinese EVs

Another Forbes 30 Under 30 startup founder in trouble with the Feds for lying

Show HN: GitComet speedy Git GUI written in Rust end-to-end

Test in Prod or Live a Lie

Mining your team's PR reviews into automated code review rules

Build AI Agents for Elevation, Not Replacement

A complete set of canonical nucleobases in the carbonaceous asteroid Ryugu

How to Read Books That Challenge Your Mind: Advice from Robert Greene

Solar energy transforms polystyrene waste into valuable chemicals using sulfur

Show HN: SHTMLs – HTML pastebin where the AI uploads its own output

Acoustic metamaterial can send complex signals directly between water and air

Show HN: Deploybase CLI – Search GPU and LLM pricing from your terminal

Show HN: MCP Certify – Auto-test MCP servers for security and compliance