remorses/sigillo
skills/sigillo/SKILL.md
Sigillo is a self-hostable open-source alternative to Doppler. Use when working with sigillo run, sigillo setup, sigillo login, managing secrets, projects, or environments. Also load when integrating Sigillo into CI, Cloudflare Workers, Docker, Vercel, or any other deployment target.
$ install --global
skillsauthnpx skillsauth add remorses/kimaki sigilloInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 8:29 AM140.9s1 file scanned
SKILL.md
- name:
- sigillo
- description:
- >
sigillo
Every time you work with sigillo, you MUST fetch the latest README:
curl -s https://raw.githubusercontent.com/remorses/sigillo/main/README.md
Never pipe through head, tail, sed -n, or any truncating command. Read the full output.
Rules for agents
Never read .env files directly
If a .env file exists, do not source it or read its contents. Use sigillo run instead so secrets are injected without being read by the agent:
# BAD — exposes secrets to the agent context window
source .env && next dev
cat .env
# GOOD — secrets injected, never visible
sigillo run -- next dev
Non-interactive auth
sigillo login opens a browser. In agent sessions, use a token instead:
# Option A: env var (preferred in CI / agent sessions)
export SIGILLO_TOKEN="sig_xxx"
# Option B: save token scoped to the current directory
sigillo login --token sig_xxx --scope .
Token is stored in ~/.sigillo/config.json. Subsequent commands in that directory pick it up without --token.
Directory scoping
sigillo setup binds the current directory to a project and environment. The CLI resolves config by longest matching scope.
# Non-interactive — use in agent sessions
sigillo setup --project proj_abc --env production
After this, sigillo run in any subdirectory uses that project + environment automatically.
Verify what is injected
# List injected variable names (values are redacted)
sigillo run -- printenv
# Get a single value
sigillo secrets get DATABASE_URL
Redaction details
sigillo run replaces secret values in stdout/stderr with *. Threshold: Shannon entropy ≥ 3.5 bits/char AND length ≥ 16 chars — short or low-entropy values like true, 1, development are not redacted. Use --disable-redaction only when explicitly verifying values.
Mount secrets to a file for tools that require it
Some tools (wrangler, docker) read from files, not env vars:
# Write secrets to a temp file, deleted after the process exits
sigillo run --mount .env.prod --mount-format env -- wrangler secret bulk .env.prod
# Mount as JSON for config loaders
sigillo run --mount config/secrets.json --mount-format json -- node server.js
The mounted file is deleted once the child process exits.
CI environment variables
- name: Run with secrets
env:
SIGILLO_TOKEN: ${{ secrets.SIGILLO_TOKEN }}
SIGILLO_PROJECT: ${{ vars.SIGILLO_PROJECT }}
SIGILLO_ENVIRONMENT: production
run: npx sigillo run -- pnpm build
Prefer sigillo run over downloading secrets
Avoid sigillo secrets download unless a specific tool requires a file format. Prefer injecting directly via sigillo run -- so values never touch the filesystem.
Related Skills
remorses/npm-package
development
VerifiedTrustedCommunity
Opinionated TypeScript npm package template for ESM packages. Enforces src→dist builds with tsc, strict TypeScript defaults, explicit exports, and publish-safe package metadata. Use this when creating or updating any npm package in this repo.
1,138SKILL.mdUpdated Apr 25, 2026
remorses/new-skill
documentation
VerifiedTrustedCommunity
Best practices for creating a SKILL.md file. Covers file structure, frontmatter, writing style, and where to place skills in a repository. Use when the user wants to create a new skill, update an existing skill, write a SKILL.md, or asks how skills work.
1,130SKILL.mdUpdated Apr 25, 2026
remorses/new-skill
documentation
VerifiedTrustedCommunity
Best practices for creating a SKILL.md file. Covers file structure, frontmatter, writing style, and where to place skills in a repository. Use when the user wants to create a new skill, update an existing skill, write a SKILL.md, or asks how skills work.
1,087SKILL.mdUpdated Apr 19, 2026
remorses/zustand-centralized-state
tools
VerifiedTrustedCommunity
Centralized state management pattern using Zustand vanilla stores. One immutable state atom, functional transitions via setState(), and a single subscribe() for all reactive side effects. Based on Rich Hickey's "Simple Made Easy" principles: prefer values over mutable state, derive instead of cache, centralize transitions, and push side effects to the edges. Resource co-location in the same store is also valid when lifecycle management is safer that way. Also covers state encapsulation: keeping state local to its owner (closures, plugins, factory functions) so it doesn't leak across the app, reducing the blast radius of mutations. Also covers event sourcing: keeping a bounded event buffer and deriving state with pure functions instead of mutable flags, making event handlers easy to test and reason about. Use this skill when building any stateful TypeScript application (servers, extensions, CLIs, relays) to keep state simple, testable, and easy to reason about. ALWAYS read this skill when a project uses zustand/vanilla for state management outside of React.
1,052SKILL.mdUpdated Apr 25, 2026