Feature
Your env follows the project
.env, .env.local, and .env.* travel with the project, encrypted. Open it on a second machine or hand it to an agent, and pnpm dev just runs.
.env, .env.local, and .env.* travel with the project, encrypted. Open the project on a second machine or hand it to an agent on a remote host, and pnpm dev just runs. There is no bowline shell to enter, no re-pasting API keys, and no scp-ing a .env file around before you can start.
Dotfile managers and secret managers each cover a slice: config here, secrets there. bowline carries env as part of the whole working state, alongside source, opaque Git state, and uncommitted work, so the project arrives ready to run instead of ready to configure. The setup layer is removed rather than moved to another tool.
The env files are encrypted in transit and at rest, and rematerialize as normal files only on devices you have explicitly trusted. Device trust is revocable, and you hold your own recovery keys, so carrying secrets between machines does not mean handing them to a machine you did not approve.
This is what makes an agent host productive immediately. The moment a Linux box or ephemeral agent host is trusted, it has the same source and the same env you do, and its edits sync back to every machine, with no per-host secret setup and no manual copy step.
OPENAI_API_KEY=sk-live-… STRIPE_SECRET=sk-live-… DATABASE_URL=postgres://…
Questions about env and secrets
The questions developers ask about this before they turn it on.
Are my secrets encrypted?
Yes. Env and secrets are encrypted in transit and at rest, and rematerialize as normal files only on devices you have explicitly trusted. Device trust is revocable and you hold your own recovery keys.
Which env files sync?
.env, .env.local, and .env.* travel with the project. They land as real files, so your existing tooling reads them exactly as it does today.
Do I need a special shell to load env?
No. There is no bowline shell to enter. The env files arrive as ordinary files in the project, and whatever already reads your .env keeps working unchanged.
Your ~/Code, on every machine and every agent.
Install bowline and your projects follow you. It just works.
curl -fsSL https://install.bowline.sh | shmacOS app · Linux CLI. Then run bowline login.