A Small Hardening Trick for .env.local: dotenvx + OS Keychain

Most teams keep local secrets in .env.local and add that file to .gitignore. That is the bare minimum, and it does not address a more pressing risk: supply chain attacks and compromised local tooling that read .env files as soon as they get repo access. Once a malicious dependency, postinstall script, editor extension, MCP server, AI coding tool, or other local helper can inspect your workspace, plain-text .env.local files become low-effort, high-value targets. I wanted a low-friction way to reduce that blast radius without forcing the whole team onto a heavyweight secrets manager for day-to-day local development. This is the pattern I landed on: keep non-secret local config in .env.local move actual secrets into .env.local.secrets encrypt .env.local.secrets with dotenvx move the decryption key out of disk and into macOS Keychain load .env.local first, then only decrypt secrets when an explicit opt-in flag says to Important distinction: I am not using dotenvx the way it is often market