Tene is a local-first, encrypted secret management CLI. It stores your API keys, tokens, and credentials in an encrypted SQLite vault on your device. No server, no signup, no cloud dependency.

How does Claude Code auto-detection work?

When you run tene init, it generates a CLAUDE.md file in your project root. Claude Code reads this file automatically and learns how to use tene to retrieve secrets.

Yes, Tene is 100% free and open source under the MIT license. All local features — encryption, runtime injection, multi-environment, AI editor rules — are free forever with no limits.

Will there be team features?

Team sync and collaboration features are being designed. The goal is encrypted team sync without a central server. Join the waitlist at tene.sh to get notified when it launches.

How are my secrets encrypted?

Tene uses XChaCha20-Poly1305 encryption with 256-bit keys derived from your master password via Argon2id. Each secret gets a unique 192-bit nonce.

Does Tene work offline?

Tene is 100% offline. It makes zero network calls. Your secrets are encrypted and stored locally in a SQLite database.

tene Tech Blog

AI-safe secrets · Vibe coding · Developer security · Local-first infrastructure

RSS feed

#Security(6)#DevSecOps(4)#Tutorial(4)#AI(3)#Vibe Coding(2)#Comparison(2)#CLI(1)#Cryptography(1)#Go(1)#Architecture(1)

Apr 23, 2026 · 5 min read
Your .env is not a secret. AI can read it.
Plaintext .env files are a liability in the AI coding era. Here is why the AI-agent threat model changes the math, and what to replace .env with.
#security#ai#devsecops
Apr 23, 2026 · 5 min read
Claude Code + API keys: the safe workflow
A practical pattern for using Claude Code with real API keys without leaking them into the context window. Covers CLAUDE.md auto-generation, 'tene run --' subshell, and concrete Stripe / OpenAI examples.
#ai#security#tutorial
Apr 23, 2026 · 5 min read
dotenv-vault is shutting down. Here's what to migrate to.
The dotenv-vault Pro tier was discontinued in February 2026. Here is a honest side-by-side of the migration options — Doppler, Infisical, HashiCorp Vault, and tene — and a one-command path off the old product.
#devsecops#security#comparison
Apr 22, 2026 · 4 min read
Migrating from .env to an encrypted vault in 60 seconds
A hands-on tutorial: take an existing .env file, import it into an encrypted vault, and get your app running through runtime injection. No code changes needed.
#tutorial#devsecops#cli
Apr 21, 2026 · 5 min read
XChaCha20-Poly1305 for developers: why it is the right choice for local secrets
A practical explanation of XChaCha20-Poly1305 and why tene picked it over AES-GCM for a local-first secret vault. No PhD required.
#security#cryptography#go
Apr 20, 2026 · 5 min read
Cursor + secret management in 2026
How to set up Cursor so API keys stay out of the AI context, using the .cursor/rules/tene.mdc file to teach the agent the safe pattern.
#ai#security#vibe-coding
Apr 18, 2026 · 5 min read
Why I stopped using Doppler
Doppler is a good product. This is not a hit piece. It is an honest walk through why a solo developer moved off it to a local-first vault — and why you might too, or might not.
#comparison#devsecops#security

tene Tech Blog

Your .env is not a secret. AI can read it.

Claude Code + API keys: the safe workflow

dotenv-vault is shutting down. Here's what to migrate to.

Migrating from .env to an encrypted vault in 60 seconds

XChaCha20-Poly1305 for developers: why it is the right choice for local secrets

Cursor + secret management in 2026

Why I stopped using Doppler