Sigyn

<p align="center"> <img src="assets/logo.png" alt="Sigyn" width="200"> </p> <h1 align="center">Sigyn</h1> <p align="center"><strong>Serverless, encrypted, peer-to-peer secret management.</strong></p>

Sigyn is a CLI secret manager that keeps every secret encrypted at rest, syncs through plain Git, and never requires a central server. Think of it as Doppler -- but fully serverless and peer-to-peer.

Why "Sigyn"?

In Norse mythology, Sigyn is the goddess of fidelity and devotion -- she faithfully holds a bowl over her bound husband Loki to shield him from venom. Sigyn the tool does the same for your secrets: it stands guard over your sensitive data, shielding it from exposure with steadfast encryption and access control. Loyalty, protection, and quiet reliability -- that is what Sigyn is about.

---

Feature highlights

• Encryption -- ChaCha20-Poly1305 authenticated encryption, sealed with X25519 envelope encryption, Argon2id key derivation.
• Git-native sync -- secrets live in a Git repository; no proprietary server or SaaS dependency.
• CRDT conflict resolution -- vector clocks and LWW-Map CRDTs merge concurrent edits deterministically.
• Role-based access control -- seven-level hierarchy: ReadOnly, Auditor, Operator, Contributor, Manager, Admin, Owner.
• Delegation trees -- delegate permissions to peers with automatic cascade revocation.
• Per-environment secrets -- first-class support for dev, staging, production, and custom environments with cryptographic key isolation (each environment has its own independent encryption key).
• Per-key ACLs -- granular constraints including time windows, expiry, and MFA enforcement.
• TOTP-based MFA -- optional multi-factor authentication per identity with session-based grace periods and backup codes.
• Signed audit trail -- hash-chained, Ed25519-signed log of every secret operation.
• Disaster recovery -- Shamir secret sharing splits the master key into K-of-N shards.
• Fork system -- leashed and unleashed forks for team branches and experimentation.
• Rotation scheduling -- cron-based automatic rotation with breach mode for emergency re-key.
• Import/export -- bring secrets in from Doppler, AWS Secrets Manager, GCP Secret Manager, 1Password, or .env files; export to dotenv, JSON, Kubernetes secrets, Docker env, or shell eval.
• Project config -- .sigyn.toml for per-project vault, environment, identity defaults, and named run commands.
• Process injection -- sigyn run -- cmd injects secrets as environment variables without writing them to disk.
• Unix socket server -- programmatic access for scripts and CI pipelines.
• Interactive TUI -- ratatui-powered dashboard for browsing and managing secrets.
• Hierarchical organizations -- nested org/division/team hierarchy with inherited RBAC (highest role wins), per-level encryption, cascading member management, and configurable git remotes at any level.
• Guided onboarding -- sigyn onboard walks through identity, vault, import, and project setup.
• Batch editing -- sigyn secret edit opens secrets in $EDITOR for bulk changes.
• Cross-env search -- sigyn secret search 'DB_*' finds secrets across all environments.
• Env diff & clone -- compare or duplicate environments in one command.
• Auto-sync -- automatically push changes after writes when auto_sync is enabled.
• Webhook notifications -- get notified on secret changes, rotations, and revocations.
• Self-update -- sigyn update downloads and installs the latest release with checksum verification.
• CI/CD integration -- official GitHub Action plus GitLab CI and generic pipeline support with CI identity bundles.
• Passphrase agent -- ssh-agent-like daemon caches your passphrase for a session.
• Watch mode -- sigyn watch auto-restarts your app when secrets change.
• Context switching -- sigyn context sets persistent vault/env/identity defaults.
• Shell completions -- bash, zsh, fish, and PowerShell.

---

Quick start

Install

# macOS / Linux
curl -fsSL https://raw.githubusercontent.com/tonybenoy/sigyn/main/install.sh | sh

# Windows (PowerShell)
irm https://raw.githubusercontent.com/tonybenoy/sigyn/main/install.ps1 | iex

# Or build from source (requires Rust 1.75+)
cargo install --path crates/sigyn-cli

Uninstall

# macOS / Linux
curl -fsSL https://raw.githubusercontent.com/tonybenoy/sigyn/main/uninstall.sh | sh

# Windows (PowerShell)
irm https://raw.githubusercontent.com/tonybenoy/sigyn/main/uninstall.ps1 | iex

Basic usage

# Create an identity (keypair)
sigyn identity create -n alice

# Create a vault for your project
sigyn vault create myapp

# Store secrets (use -v for vault, -e for env, -i for identity)
sigyn secret set DATABASE_URL "postgres://localhost/myapp" -v myapp -e dev
sigyn secret set API_KEY "sk-..." -e dev

# Retrieve a secret
sigyn secret get DATABASE_URL -e dev

# List all secrets in an environment
sigyn secret list -e dev

# Inject secrets into a process (never written to disk)
sigyn run -e dev -- ./start-server

# Or use a project config for zero-flag workflows (see below)

Project config (.sigyn.toml)

Drop a .sigyn.toml in your project root to set per-project defaults:

[project]
vault = "myapp"
env = "dev"
identity = "alice"

[commands]
dev = "npm run dev"
app = "./start-server"
migrate = "python manage.py migrate"

Then simply:

sigyn run dev          # runs 'npm run dev' with secrets injected
sigyn run app --prod   # runs './start-server' with prod secrets
sigyn secret list      # uses vault/env/identity from .sigyn.toml

Organizations

Group vaults into a hierarchical org structure with inherited RBAC. See Organizations for details.

Sync via Git

sigyn sync push
sigyn sync pull

---

CI/CD Integration

Sigyn has a first-class GitHub Action for injecting vault secrets into your pipelines.

Setup

# Create a CI-specific identity
sigyn identity create --name ci-bot

# Invite it with minimal permissions
sigyn delegation invite create --role reader --envs staging,prod

# Generate a CI bundle (single base64 string)
sigyn ci setup ci-bot

Add three secrets to your GitHub repo: SIGYN_CI_BUNDLE, SIGYN_PASSPHRASE, and VAULT_SSH_KEY.

GitHub Actions usage

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Load secrets
        uses: tonybenoy/sigyn/action@main
        with:
          bundle: ${{ secrets.SIGYN_CI_BUNDLE }}
          passphrase: ${{ secrets.SIGYN_PASSPHRASE }}
          vault-ssh-key: ${{ secrets.VAULT_SSH_KEY }}
          vault-repo: git@github.com:myorg/sigyn-vaults.git
          vault: myapp
          environment: prod

      # All secrets are now available as environment variables
      - name: Deploy
        run: ./deploy.sh

The action supports multiple export modes (env, dotenv, json, mask-only), key filtering, and automatic log masking. See the CI/CD guide for GitLab CI, generic CI platforms, and security best practices.

---

Architecture

Sigyn is a Cargo workspace with four crates:

| Crate | Purpose | |-------|---------| | sigyn-core | Pure library (publishable): crypto, policy, CRDT, types -- zero I/O dependencies | | sigyn-engine | I/O layer: filesystem, git sync, audit persistence -- depends on and re-exports sigyn-core | | sigyn-cli | Binary (sigyn): CLI interface, TUI, process injection, import/export | | sigyn-recovery | Standalone binary (sigyn-recovery): Shamir shard management and vault recovery |

See the docs/ directory for detailed design documents.

---

CLI reference

sigyn <command>

| Command | Description | |---------|-------------| | identity | Manage identities (keypairs) | | vault | Create and manage vaults | | secret | Store, retrieve, list, and delete secrets | | env | Manage environments (create, list, promote) | | policy | Configure RBAC policies and constraints | | mfa | Manage TOTP-based multi-factor authentication | | org | Manage organizations and hierarchy (create, tree, policy, sync) | | delegation | Invite members, revoke access, view delegation tree | | audit | View and verify the signed audit trail | | sync | Push, pull, and resolve sync conflicts | | fork | Create and manage vault forks | | project | Initialize and manage project config (.sigyn.toml) | | run | Inject secrets into processes, export, or serve via socket | | rotate | Rotate secrets, schedule rotation, breach mode | | import | Import from Doppler, AWS, GCP, 1Password, dotenv, JSON | | ci | Set up CI/CD identities and generate bundles | | notification | Configure and test webhook notifications | | context | Set persistent vault/env/identity context | | agent | Passphrase caching agent (ssh-agent-like) | | watch | Watch mode — auto-restart app on secret changes | | onboard | Guided first-run setup wizard | | tui | Launch the interactive TUI dashboard | | update | Self-update to the latest release | | doctor | Run health checks | | status | Show current vault, identity, environments, sync, and rotation info | | init | Initialize default configuration (interactive: offers identity/vault creation) | | completions | Generate shell completions (bash, zsh, fish, powershell) |

Run sigyn <command> --help for detailed usage of any command.

---

Security model

• **Enc