Environment variable management that knows which env is production.
Aegis manages .env files as first-class objects - with environment separation, drift detection, and CLI sync that integrates into existing deployment workflows.
Environments as a first-class concept.
Production, staging, and development are not just naming conventions in Aegis. Each environment has its own credential store, its own access rules, and its own audit log.
A developer with staging access cannot see production values unless explicitly granted. The access model matches the risk model: production access is treated as a separate, higher-stakes grant.
The commands your CI/CD pipeline already expects.
The Aegis CLI integrates into deployment pipelines without changes to the application code.
Catch credential divergence before it causes an incident.
When a value stored in Aegis differs from what a service is using locally, Aegis flags it as drift. This catches the common case where someone updated a key directly in production without updating the credential store - or vice versa.
Drift flags can be resolved by rotating the credential (making Aegis the source of truth) or by updating the local file and pushing to Aegis. Either way, the resolution is logged.
What the .env manager covers.
Direct .env import
Drag a .env file into a workspace. Aegis parses, encrypts, and asks who on your team should see each key - no manual re-entry of existing credentials.
Environment-scoped RBAC
A developer can have write access in staging and read-only access in production. Access rules are configured per-environment, not per-project.
Drift detection
When a value stored in Aegis differs from what a service is using locally, Aegis flags it. This catches the common case where someone updated a key directly in production.
Separate audit trails
Production and non-production events are logged separately. Auditors reviewing production access don't have to filter through development noise.