Every tool on my Mac works without the internet

I was on a flight last month when the Wi-Fi went out. Three hours, no connection. I needed to look up a database credential, merge two PDFs for a contract, and check on a background service that was running locally. All three worked. I didn’t notice the internet was down until I tried to open Gmail.

That wasn’t luck. Over the past year I’ve replaced every cloud-dependent tool in my workflow with something that runs on my machine. The privacy angle is a bonus, but the real reason is simpler: I got tired of paying monthly for things that should just work.

The subscription problem

1Password is $36/year. Otter.ai is $200/year for a meeting transcription service that sends every word you say to their servers. Google Analytics is free, which means you’re paying with your users’ data. SmallPDF makes you upload your files to a server to merge two documents. That’s a local operation. There’s no reason for a server to be involved.

I was paying for convenience that shouldn’t cost anything. The actual computation happens on your machine anyway. The server is there for syncing and lock-in, not because the problem requires it.

Passwords: xpass

The Bitwarden CLI got compromised in April 2026 through a supply chain attack. A backdoored npm package made it into their CI/CD pipeline. If you had the CLI installed, a malicious bw1.js ran an infostealer on your machine. KeePass users in that same HN thread were saying “this is why I stay local.” They’re right.

The problem with any password manager that ships as an npm package or browser extension is that it’s coupled to other software’s supply chain. 1Password, Bitwarden, LastPass — they all have browser extensions, desktop apps, CLI tools, each one a surface for compromise. I was paying $3/month for 1Password and the thing I was paying for was trust. Trust that their infrastructure wouldn’t get breached, their extensions wouldn’t get hijacked, their npm dependencies wouldn’t get poisoned.

xpass is a terminal password manager I wrote in Go. Single binary, 601 lines. AES-256-GCM encryption, TOTP support, git sync for backups. The vault is one encrypted file on my machine. No browser extension to get compromised, no npm packages in the supply chain, no cloud sync where a breach exposes every user at once.

xpass get github
# copies password to clipboard, clears after 30 seconds

It has a TUI for browsing entries, searching, and viewing TOTP codes. For quick access, xpass get <name> copies the password and clears the clipboard after 30 seconds.

I sync the encrypted vault across machines with git. Push to a private repo, pull on the other machine. The file is AES-encrypted, so even if GitHub gets breached, the vault is useless without my master key.

Less convenient than a browser extension that auto-fills? Yeah. But I type a password maybe 5 times a day. I’ll live.

Meeting recordings: Quietly

Cloud transcription is a privacy nightmare for anything sensitive. Every standup, every 1:1, every call where someone shares something they shouldn’t — it’s all sitting on Otter.ai’s servers. I was paying $17/month for that privilege. SuperWhisper and Sonicribe exist as local alternatives, but I wanted something that records the full meeting and labels speakers, not just a dictation tool.

Quietly is local-first speech-to-text for meetings. It captures your mic and system audio using ScreenCaptureKit, runs whisper.cpp for transcription, labels who said what (You vs Other), and generates a summary with a local LLM through Ollama. Audio never leaves the Mac.

You don’t need BlackHole or virtual audio devices or any routing headaches. ScreenCaptureKit on macOS 13+ handles system audio capture natively, which means it works with Bluetooth headphones out of the box. That was the hardest part to build and the thing I’m most proud of.

After a meeting, I have a transcript with speaker labels and a summary sitting in a local file. $29 once and it’s mine.

Background services: serviceman

I run about a dozen background services on my machines. Research scrapers, webhook receivers, dashboard servers, sync jobs. Docker Compose worked but it meant running a Docker daemon eating 2GB+ of RAM, managing Dockerfiles for each service, and debugging container networking when things broke. On a 4GB VPS that RAM overhead matters.

serviceman is a 753-line Python script. Auto-restart, log capture, launchd integration on macOS so services start on boot. Zero dependencies. If PM2 is the Node equivalent, serviceman is the Python version that doesn’t need Node installed.

sm add research "./run.sh" -c /path/to/project
sm start research
sm logs research -f
sm status

That’s the entire interface. Adding a service, starting it, tailing logs, checking status. It generates launchd plists so macOS handles the lifecycle. If a process crashes at 3 AM, it’s back up before I wake up.

I use this on my homelab VM too. 12 services, all managed by a single Python file with zero dependencies.

PDF merging: Paperstack

This one is almost embarrassing to include because of how simple it is. Paperstack merges PDFs. Drag files in, reorder them, hit merge. That’s it.

The thing is, every online PDF tool requires you to upload your files to a server. SmallPDF, iLovePDF, all of them. Contracts, tax documents, medical records, going to a server you don’t control for an operation that takes 50ms locally.

Paperstack is a Tauri app. Your files never leave your machine. It’s free and works offline.

Analytics: ezhog

Plausible is $9/month. Umami is free but you self-host it. Fathom is $14/month. They’re all good, but they’re all companies that can raise prices, change terms, or shut down. I’ve seen enough “we’re updating our pricing” emails.

ezhog is a Cloudflare Worker I wrote. One script tag, 723 lines of TypeScript. Counts page views, tracks referrers, tells me if visitors come back. It runs on my Cloudflare account. The pricing is Cloudflare’s free tier, which has been free for years. If Cloudflare changes that, I move the Worker to any other edge platform in an afternoon.

It doesn’t do user journeys or funnels or heatmaps. I don’t need that for my sites. I need to know what pages people visit and where they come from.

API keys: tokenvault

Every project needs API keys. Most developers either commit .env files to git (bad), store them in a notes app (worse), or use a cloud secret manager like Doppler or Vault (overkill for a solo dev).

tokenvault is an encrypted CLI token store. AES-256 encryption, one master key. The encrypted file lives in a git repo so it syncs across machines. All my API keys across all projects live in one place.

tv get stripe api_key
# prints the key

tv add myproject my-secret-token "production api key"
# encrypts and saves

tv dump
# prints everything as JSON (for scripts)

My CI pipelines, my CLIs, my local dev servers all pull from tokenvault. One source of truth, encrypted at rest, synced across machines through git.

The pattern

If you look at everything above, it’s the same move repeated: take something that got turned into a cloud service with a monthly fee, and run it locally. The cloud version usually works fine. The question is whether it needs to be cloud at all.

Your CPU merges the PDF. Your GPU transcribes the audio. Your filesystem stores the passwords. The server sitting between you and your own hardware is there for business reasons, not technical ones.

If you’re a team of 50 sharing a password vault, sure, use 1Password. If you need enterprise secret management with audit trails, pay for Doppler. Those are real use cases for remote infrastructure.

But if you’re a solo developer and the tool runs fine on your laptop, you’re paying someone $20/month to run it on their laptop instead. I stopped doing that about a year ago and I haven’t missed it.

Everything above is free and open source, or a one-time purchase. No subscriptions, no lock-in. All at saadnaveed.com.