Glossary
Device trust
Definition
Device trust is the explicit, revocable approval that lets a specific machine or agent host decrypt and work with your workspace. It is separate from account sign-in: proving who you are does not by itself release decryption keys. A new device earns access from an already-approved device, and you can revoke it anytime.
There are two separate questions when a new machine wants your code: are you who you say you are, and should this specific device be able to decrypt your workspace. Account sign-in answers the first. Device trust answers the second. Collapsing them is a mistake, because a stolen account login should not, on its own, hand a fresh device the keys to read your source and secrets.
Keeping them apart means a device can authenticate your account yet still be unable to decrypt anything until it is explicitly approved. Approval comes from a device that already holds access, which grants the new one; a lost or compromised device can be revoked so it can no longer decrypt going forward. Trust is a deliberate, reversible act, not a side effect of logging in.
Why it matters
Source and secrets are exactly the material you least want a single leaked password to expose. Separating identity from decryption access, and making per-device trust explicit and revocable, is what lets you hand real projects to remote and ephemeral hosts without that access becoming permanent or invisible.
In practice
A new agent host signs into your account and can see that a workspace exists, but cannot read a byte of it. An already-trusted machine approves the host; it now decrypts the workspace. When the host is done, you revoke it and its access ends.
How Bowline relates
Bowline keeps identity and decryption apart: signing in proves who you are, and a separate, revocable device approval releases the keys. Access is granted by an existing trusted device or a recovery key, stays visible in bowline status, and can be revoked at any time.
Related terms
Your ~/Code, on every machine and every agent.
Install bowline and your projects follow you. It just works.
curl -fsSL https://install.bowline.sh | shmacOS app · Linux CLI. Then run bowline login.