We are currently operating in a state of collective delusion. We spend millions hardening AWS IAM policies and configuring VPC peering, yet we continue to run npm install on machines that hold the keys to our production kingdoms. It is a ridiculous plateau of risk.
Last week, I looked at my own local environment and realized it was a dangling object of trust. I didn’t trust my dotfiles. I didn’t trust my cached credentials. So, I nuked it all.
The Myth of the Auditable Stack
The industry likes to talk about “supply chain security” as if it’s a solved problem of checksums and lockfiles. It isn’t. When a simple utility pulls in 200 transitive dependencies, you aren’t just installing a library; you are granting execution rights to 200 anonymous maintainers.
- NPM is a disaster: It’s an ecosystem that has prioritized “developer experience” over basic sanity for so long that we’ve forgotten what a clean environment looks like.
- Homebrew is a black box: We regularly execute post-install scripts with high privileges because we’re too busy to read the formula.
If you can’t audit the code, you shouldn’t give it access to your ~/.ssh/id_rsa.
Retreating to the Secure Enclave
My solution wasn’t better software; it was better hardware. I’ve moved my primary identity into the macOS Secure Enclave.
- Immoveable Keys: My SSH private keys are now generated inside the hardware. They cannot be exported. They cannot be copied by a malicious script.
- Touch ID as a Firewall: Every Git operation now requires a physical Touch ID verification. Even if my machine is compromised by a malware-laden package, the attacker cannot use my identity without my physical presence.
- The Death of the AWS Secret: I have purged static
AWS_ACCESS_KEYentries from my disk. Everything is now OIDC-based. If a process scans my environment for secrets, it finds nothing.
The Bottom Line
Productivity is irrelevant if it comes at the cost of total compromise. I’ve traded a bit of convenience for hardware-rooted trust. In a world of transitive visibility debt, the only winning move is to reduce the surface area to something you can actually touch.
Stay secure, or stay out of the arena.