Remove .env files from your Git history. Not from your workflow.
Aegis replaces the .env file as a distribution mechanism while keeping the developer workflow intact. Pull credentials with the CLI, push changes back, and detect drift automatically.
Every copy of a .env file is an untracked credential leak.
.env files in Git repositories expose credentials to everyone with repository access - including people who have since left the team, and anyone who ever clones the repo in the future if a commit is never cleaned from history.
Sharing them over Slack or email creates untracked copies on multiple machines with no record of where they ended up.
Aegis provides the same credential availability - the local .env file still exists, your application code still reads it - but the credential values live in an encrypted store, not in a file that gets emailed around.
One command replaces the manual copy-paste step.
The developer experience stays almost identical. The distribution mechanism changes.
Before
After
Four things that change when you use Aegis for .env.
The .env file is not committed. Aegis is the source of truth. The CLI generates a local file on demand, and that file is not tracked in version control.
Access to pull production credentials is a separate, explicit grant. A developer who can pull staging credentials cannot pull production values unless that access is specifically granted.
The local file generated by sb aegis pull is created fresh from the encrypted store each time. There's no persistent unencrypted copy sitting on a developer's machine between sessions.
When a local file diverges from the stored source of truth - because a key was changed in production directly, or someone edited locally - Aegis flags it and logs the divergence.