Great writeup on offline OSM routing! If you're also interested in simulating vehicle movement on those road networks — useful for testing tracking or logistics software — Moveet (https://github.com/ivannovazzi/moveet) does exactly that: A* pathfinding on GeoJSON road graphs with WebSocket streaming of real-time positions. It uses the same OSM data you'd be pre-processing here.
Neat project! For anyone building or testing EV fleet management software who needs realistic vehicle movement data, Moveet (https://github.com/ivannovazzi/moveet) might be useful — it's an open-source simulator that drives synthetic vehicles along real OSM road networks using A* pathfinding, streaming GPS positions over WebSocket. It supports Kafka and REST sinks so you can feed position data straight into whatever backend you're testing.
Cool project! The OSM vehicle interpolation along way geometries is a nice touch. If you want to push further into realistic vehicle routing — where vehicles actually navigate junctions and follow shortest paths — Moveet (https://github.com/ivannovazzi/moveet) might be a useful reference. It's an open-source fleet simulator I built that runs A* pathfinding on GeoJSON/OSM road graphs and streams positions over WebSocket in real time, which could complement your existing layer setup.
Nice work! The real-time vehicle movement rendering challenge you mentioned reminded me of a tool I've been building — Moveet (https://github.com/ivannovazzi/moveet), an open-source fleet simulator that drives synthetic vehicles on real OSM road networks using A* pathfinding, streaming positions over WebSocket. It's aimed at developers who need realistic GPS movement data to test fleet or logistics software, and supports Kafka, Redis, and REST sinks. Your approach of batching 30k+ GeoJSON features into typed arrays is a great pattern for this kind of workload.
The pre-investment workflow gap is real. Everything I've seen in fund admin focuses on post-close: reporting, K-1s, cap table. The NDA-to-wire funnel is manual chaos for most GPs.
We're solving a similar document-chasing problem in a different vertical — professional services firms (accountants, lawyers, consultants) using Gatherly (gatherly.io). Same core pain: clients need to sign agreements and submit supporting documents, and without automation the firm spends hours on follow-up emails.
Our approach: one Secure Link to a branded portal where the client signs (eIDAS-qualified) and uploads everything in a single session. Automated reminders handle the chasing.
Curious about your subdocs flow — that's the most complex part of fund onboarding. Are you generating the subscription documents dynamically based on the accredited investor questionnaire, or is it templated per fund? That integration point seems like where most of the value is for GPs who currently do it over email + DocuSign + spreadsheets.
Really like the three-tier classification (PUBLIC/SENSITIVE/SERVER). That's a thoughtful design — most env var solutions treat everything as equally secret or equally public.
The frontend injection problem you're solving is the mirror image of what we deal with on the backend side. We built KeyEnv (keyenv.dev) to handle the server-side piece: secrets stored encrypted, pulled via CLI, and injected as env vars at runtime. No .env files on disk.
The combination is interesting — REP for the browser-facing config, something like KeyEnv for the server-side secrets that feed REP_SERVER_* vars. The HMAC integrity check on the payload is a nice touch, especially for SPAs where someone could tamper with the injected HTML before it hits the client.
One question on the SENSITIVE tier: with the session-key-based decryption, what's the lifecycle of the session key? Is it per-page-load, per-user-session, or something else? That seems like the main variable in the security tradeoff.
Thanks! The Unraid angle is smart — one-click install removes the biggest objection to self-hosted. That could be a really strong wedge for the privacy-first crowd.
We're seeing a similar split in our market. The accountants and law firms we talk to won't touch self-hosted — they want zero ops and just need it to work. But agencies and consultants who handle sensitive client data (immigration, financial advisory) often ask about data residency and control first.
Your two-track approach (self-hosted free, hosted paid) actually complements what we're doing well. If someone needs full infrastructure control, Atrium is the right fit. If they want managed SaaS with eIDAS compliance baked in, Gatherly covers that. Might even make sense to cross-refer users who land in the wrong bucket.
Good luck with the launch — the market is definitely big enough for both approaches.
Good points — the "no secret zero" advantage of 1Password is real, especially if the team already uses it. Biometric unlock is a nice UX win too.
Where we saw friction was in CI/CD and multi-service setups. 1Password's op CLI adds ~2-3s per secret fetch, which compounds in pipelines with dozens of env vars. KeyEnv batches the pull so it's one round-trip regardless of how many secrets you need.
The other gap we kept hitting: onboarding a new team member. With 1Password you need to set up vault access, service accounts, and teach them the op run workflow. With KeyEnv it's `keyenv pull` and you're done — access is scoped per project and environment, so you grant access once and they get exactly the secrets they need.
Varlock's approach of bridging 1Password into dotenv workflows is clever though. For teams already deep in the 1Password ecosystem, that's probably the lowest-friction path.
Appreciate the pushback — you clearly know this space well.
On open source: no, KeyEnv is not open source. That's a real trade-off and I should have said so directly.
On pricing math: you're right in that scenario. For 10 devs with 10 total secrets, AWS SM is dramatically cheaper. Our pricing makes more sense when teams have dozens of secrets per environment across multiple projects (dev/staging/prod) — where the per-user flat rate becomes predictable. But I take the point that the break-even is higher than I'd like.
On hyperscaler friction: fair, it's gotten much better. The main gap we see is local dev DX — injecting secrets into `npm start` or `docker compose up` without writing files. But you could wrap that around SM too.
Cool approach — using a private GitHub repo as encrypted storage is clever for solo devs who want zero external dependencies.
We're building something in the same space with KeyEnv (https://keyenv.dev) but took a different direction: server-side encrypted storage with a CLI that injects secrets as env vars at runtime (`keyenv run -- npm start`). No files written to disk, no .env files to manage.
The trade-off is pretty clear: AxKeyStore gives you full ownership of storage (GitHub repo) at the cost of managing encryption keys yourself. KeyEnv handles the key management server-side but requires trusting our infrastructure (or self-hosting).
For teams, the big differentiator is access control — KeyEnv scopes secrets per project and environment, and tracks who accessed what. Curious if you've thought about multi-user scenarios for AxKeyStore?
Nice foundation. Self-hosted client portals make a lot of sense for dev shops and agencies who want full control.
We're building Gatherly (gatherly.io) for a similar audience but with a SaaS approach focused on professional services (accounting firms, law firms, consultants). The key difference is we've baked in eIDAS-qualified e-signatures and automated document collection workflows — so clients can sign agreements and upload requested documents through a single branded portal, no account required.
The self-hosted angle is interesting for developers, but most of the professional services firms we talk to want zero ops overhead. Would be curious if you've seen demand from non-technical users.
Love seeing more tools in this space. We're building Gatherly (gatherly.io) solving the same core problem — accountants and professional services firms spending hours chasing clients for documents.
Where we've differentiated: Gatherly bundles e-signatures (eIDAS-qualified) with document collection in a single client workflow. So instead of sending one link for documents and another for contract signing, the client gets one Secure Link to a branded portal where they sign and upload everything in one session.
Curious how you're handling the reminder/follow-up side — that's been the single biggest value driver for our early users. Automated reminders that chase the client so the firm doesn't have to.
This is a real gap. I've seen teams adopt Claude Code and immediately start pasting API keys into .env files that the agent can read — zero access control, zero audit trail.
We built KeyEnv (keyenv.dev) to handle this: secrets are encrypted at rest, pulled via CLI, and injected at runtime. The agent gets the env vars it needs without ever seeing the raw secret values stored anywhere on disk.
The approach works well with AI coding tools because: (1) no secrets in any file the agent can read/commit, (2) rotation happens server-side without touching the dev environment, (3) audit trail shows exactly which secrets were accessed and when.
This matches exactly what we've been building with KeyEnv (keyenv.dev). The core idea: secrets should never live in files on disk at all.
The CLI does `keyenv pull` to fetch encrypted secrets from the server, then `keyenv run` injects them as environment variables into your process. No .env file written, no plaintext ever touches disk, and your app reads process.env exactly like before.
The advantage over 1Password's approach (mentioned in another comment) is that KeyEnv is purpose-built for dev teams: secrets are scoped per project and environment (dev/staging/prod), team members get granular access, and there's a full audit trail. 1Password is great for personal secrets but gets awkward when you need per-project scoping across a team.
For the shell history concern someone raised: `keyenv run` never exposes the actual secret values to the shell — they go straight into the child process environment.
If the main use case is shared team secrets (API keys, tokens, .env equivalents), there are team-secrets-specific tools worth considering as alternatives:
- KeyEnv (keyenv.dev) — CLI-first secrets manager, syncs across team via CLI. Works like .env but centralized and access-controlled. No per-seat pricing.
- Doppler — More full-featured, team-friendly
- Infisical — Open source option with self-host
1Password is great for passwords/logins. For dev team secrets specifically (API keys, CI tokens), a purpose-built tool often fits better since you get CLI integration, per-project scoping, and environment-level access control.
Depends on your ratio of "password manager" vs "secrets manager" usage.
Smart ergonomics — the pain of keeping .env files in sync across worktrees is real. Every worktree ends up with slightly different secret values and nobody knows which is current.
The deeper fix I'd love to see is integration with a secrets manager that owns the canonical values, so worktrees pull from a shared encrypted store rather than each maintaining their own .env copy. We built KeyEnv (https://keyenv.dev) for exactly that: `keyenv run -- npm start` and the process gets injected secrets from the team store. No file duplication, no drift.
Does Workz support custom commands on worktree creation? Could imagine a hook that runs `keyenv pull` or similar to bootstrap without a .env at all.
Interesting — a policy layer for GitHub Actions is a very different angle than just locking down secrets access.
One thing we noticed building KeyEnv (https://keyenv.dev, CLI-first secrets manager): the enforcement problem is often about what runs _locally_ before CI/CD, not just in the pipeline. Devs bypassing secrets rotation by hardcoding, or testing against prod secrets locally, is where leaks usually start.
Your enforcement gate at the Actions layer is a clean solution for the CI side. Do you have plans to extend to pre-commit hooks or dev environment enforcement?
Nice tool. The core problem you're solving (secrets leaking through comms channels) is real — we've seen teams paste API keys in Slack channels "just this once" and never rotate them.
We approached the same problem from a different angle with KeyEnv (https://keyenv.dev): instead of encrypting the .env transfer, we eliminate .env files entirely. Secrets live in KeyEnv, the CLI injects them at runtime with `keyenv run -- your-command`, and nothing ever touches the filesystem. No file to share, no file to leak.
Your tool still has value for teams that can't migrate away from .env — good building block.
Neat framing around the AI angle. A complementary approach is removing .env files from the workflow entirely rather than masking them — so there's nothing to leak to begin with.
We built KeyEnv (https://keyenv.dev) for exactly that: the CLI pulls AES-256 encrypted secrets at runtime so .env files never exist locally. `keyenv run -- npm start` and secrets are injected as env vars, then gone.
The tradeoff is it requires a network hop and team buy-in, whereas enveil is local. Different threat models — enveil protects secrets already on disk from AI tools, KeyEnv prevents them from touching disk at all.
On open source: tools like Vault, Doppler, or Infisical are excellent but require setup, maintenance, and infra (or their hosted tier). KeyEnv's value prop is zero infra — install the CLI, run `keyenv run -- your-command`, done. For small teams that don't want to manage secrets infra, it's faster.
On hyperscalers: AWS Secrets Manager / GCP Secret Manager work well at scale but have per-secret pricing that adds up, and the DX friction is non-trivial (IAM, SDK calls, region config). We're optimized for developer teams who want CLI-first access without cloud-specific lock-in.
On pricing: the per-user model is intentional — it stays predictable as the secret count grows. You're right that at very high secret counts hyperscalers win on cost. We're not competing there; we're competing on simplicity for teams of 2–20 devs.
Not a fit for every team — just trying to make the tradeoffs honest.