Docs / Security Architecture

Security Architecture

This document describes the security architecture of SlickEnv. It covers how your data is encrypted, how authentication works, and what we do to ensure your secrets stay secret.

Core principles

  • Encrypt everything. All data is encrypted at rest and in transit. There are no exceptions.
  • Least privilege. The CLI only accesses the files and directories you explicitly initialise. It never scans your filesystem or reads files it was not asked to.
  • No plaintext secrets. At no point in the pipeline (client, network, or server) are your secrets stored or transmitted in plaintext.
  • Audit everything. Every action that touches your data is logged with a timestamp and user identity.

Encryption at rest

All environment variables stored on SlickEnv servers are encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode).

  • Each project has its own encryption key
  • Encryption keys are stored in a separate key management service, never alongside the encrypted data
  • GCM mode provides both confidentiality and integrity, and any tampering with encrypted data is detected automatically
  • Key rotation is supported and can be triggered by project administrators

Encryption in transit

Every API call between the SlickEnv CLI and our servers uses TLS 1.3. This is the latest version of the Transport Layer Security protocol and provides:

  • Forward secrecy: past sessions cannot be decrypted even if keys are compromised
  • Strong cipher suites: only modern, well-audited algorithms
  • Certificate pinning: the CLI validates the server certificate against a known fingerprint

No secret logging

SlickEnv never logs the contents of your environment variables. Not on the client, not in transit, and not on the server. Server logs record only metadata: timestamps, user IDs, project names, variable counts, and version numbers. The actual values are never written to any log.

CLI output masking

Variables marked as @sensitive true are automatically masked in all CLI output. Instead of the actual value, you will see a masked placeholder.

$ slickenv status
  DATABASE_URL = postgres://localhost:5432/myapp
  STRIPE_SECRET_KEY = ••••••••••••••••
  API_KEY = ••••••••••••••••

This prevents accidental exposure in terminal screenshots, screen shares, and CI logs.

Authentication flow

SlickEnv uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) for authentication via GitHub or Google.

  1. The CLI opens your browser to the SlickEnv auth endpoint
  2. You authenticate with your chosen provider (GitHub or Google)
  3. The provider issues an authorization code
  4. The CLI exchanges the code for an access token using PKCE
  5. The token is stored in your system keychain (macOS Keychain, Linux Secret Service, Windows Credential Manager)

Tokens are never stored in config files, environment variables, or plaintext on disk.

Pre-launch security review

Before launch, SlickEnv underwent a comprehensive security review covering:

  • Static analysis of the CLI codebase
  • Dependency audit for known vulnerabilities
  • Penetration testing of the API endpoints
  • Review of the encryption implementation by an independent cryptographer
  • Infrastructure security assessment

We plan to publish the results of an independent third-party audit in Q2 2026. For questions or to report a vulnerability, contact security@slickenv.dev.