30+ AI safety tools · Rust · source-available · VS Code, IntelliJ, Neovim, Zed

Your secrets aren’t safe from AI.

EnvForge is the environment-variable manager built to protect secrets from AI coding agents — not just store them. Fence the files, intercept the tool calls, run with secrets sealed in memory, and trip a canary if anything leaks. One Rust CLI, a TUI, and a Language Server that lights up your editor.

★ Star on GitHub
30+ AI safety tools 13 secret providers 130+ commands 2,800+ tests passing

Four moves. Total coverage.

EnvForge isn’t a vault you push to and forget. It’s a defense pipeline you run as you work — fence, guard, run, watch.

1.0

FENCE

Block AI tools from ever reading your secrets, then hand them context without values — types and names from an inferred schema, never the credentials themselves.

fenceprevention
# block Cursor, Copilot & Claude Code at the file level
$ envforge fence
  created .envforgeignore · .cursorignore · .claude/settings.json

# give the agent context — names & types, no values
$ envforge schema emit-ai --infer --output .env.ai.md
  wrote .env.ai.md (42 variables, 0 values)
2.0

GUARD

Wire EnvForge into the agent’s tool loop and your git hooks. Every read and every commit is scanned before it lands; leaked credentials in MCP configs get rewritten to ${VAR} references.

guardprevention · remediation
# PreToolUse + PostToolUse hooks in the agent
$ envforge ai-hook install claude-code
  hooks installed: PreToolUse + PostToolUse

$ envforge scan --install-hook
  pre-commit hook installed

$ envforge mcp harden
  2 credentials found  replaced with ${VAR}
3.0

RUN

Execute your app with secrets resolved in memory only and masked in every log line. Scope access to a time-boxed lease — and revoke everything instantly if something feels wrong.

runruntime
# volatile = never on disk · redact = masked output
$ envforge run --volatile --redact -- npm start
  connecting to [REDACTED:DB_PASSWORD]@host…
  server running on :3000

$ envforge lease create --ttl 1h --keys DB_URL,API_KEY
$ envforge revoke --all
  KILLSWITCH: 3 leases revoked
4.0

WATCH

Plant honeypot canaries that alert on exfiltration, audit git history for AI-assisted leaks, and map what breaks before you rotate. Detection and governance, not just prevention.

watchdetection · governance
# honeypot credential — tripwire on read/exfil
$ envforge canary create STRIPE_KEY
  canary planted · monitoring enabled

$ envforge audit --ai-leaks
  scanned 1,204 commits · 0 AI-assisted leaks

$ envforge deps DB_URL
  3 services depend on this secret

See the danger in your editor.

EnvForge ships a Language Server and first-party VS Code, IntelliJ, Neovim & Zed plugins. The AI-exposure story lives where you write code — not buried in a CLI.

  • Exposure heatmap — a colored dot in the gutter on every env-var line. It shows exactly the same result as the command line.
  • Canary tripwire glyphs — a shield replaces the dot when a canary is registered. Hover for status.
  • Status-bar trio — variable count, fence shield (AI BLOCKED / AI ALLOWED), and a live volatile-lease countdown.
  • Source-language goto-definition — ctrl-click process.env.X, os.environ["X"], std::env::var("X") across 11 languages, land on the schema entry.
  • MCP config linter — credential patterns flagged inline in .cursor/mcp.json, .claude/settings.json and friends.
  • One-key quick-fixes — plant a canary, mark as secret, generate .env from schema, swap in a secret reference.
Gutter heatmap — what the dots mean
REDplaintext, readable by AI agents right now
AMBERsensitive — will be redacted by AI-guard
GREENfenced — the agent can’t reach it

Every plugin talks to the same envforge lsp engine, so they all behave the same way. Also works through LSP alone in Helix, Emacs, Sublime Text, Kakoune & Lapce.

30+ tools. Six layers.

From prevention to governance — the most comprehensive AI-agent secret protection of any CLI.

LayerToolCommandWhat it does
PreventionSecret Fenceenvforge fenceIgnore rules for Cursor, Copilot, Claude Code
PreventionFence Statusfence --statusVerify ignore rules are active
PreventionFence Targetsfence configChoose which AI tools the fence covers
PreventionPre-Commit Hookscan --install-hookBlock commits containing secrets
Prevention3-Stage AI Guardai-guard pre-toolScan before & after AI tool execution
PreventionAI Hooksai-hook installPreToolUse + PostToolUse hooks
PreventionHook Statusai-hook statusCheck which tools have active hooks
PreventionFile Alertsbuilt-inWarn on .env, .pem, .ssh/ access
RuntimeVolatile Moderun --volatileSecrets in memory only — never on disk
RuntimeLog Redactionrun --redactMask secrets in subprocess output
RuntimeCredential Proxyproxy --port 8100HTTP API with allowlist + audit
RuntimeSession Leaseslease create --ttlTime-bounded secret access
RuntimeKillswitchrevoke --allInstantly revoke all active leases
ContextAI-Safe Schemaschema emit-aiTypes & names without values
ContextSafe Exportexport --safeRedacted [REDACTED] values
ContextIgnore File.envforgeignoreMark files AI tools should skip
RemediationMCP Scanmcp statusFind creds in AI tool configs
RemediationMCP Hardenmcp hardenAuto-replace with ${VAR} references
RemediationPrompt Sanitizersanitize FILEStrip secrets from any file
DetectionCanary Secretscanary createHoneypot credentials — alert on exfiltration
DetectionAI Leak Auditaudit --ai-leaksScan git for AI-assisted leaks
DetectionAccess Auditaudit --accessJSONL log of proxy access
GovernanceApproval Flow--require-approvalHuman approves each secret access
GovernanceDependency Mapdeps KEY --sourceWhat breaks if this secret rotates?
GovernanceExternal Scannerscanner testMulti-scanner pipeline (Lakera, ggshield)
GovernanceSession Scopingsession start --ttlPer-AI-tool scoping with auto-detection
GovernanceLifecycle Automationlifecycle checkRule-based create / rotate / decommission
GovernanceAnalyticsanalytics unusedDormant-secret detection & retention

Beyond AI safety.

A complete environment-variable manager underneath — 130+ commands, no migration required.

+Encrypted sync

Sync across machines through Git, with strong encryption (age). Pick which keys to sync, override values per machine, roll back, and work offline. Your env vars are stored encrypted in the repo — never in plain text.

+13 secret providers

Pull, push and reference across Vault, AWS SSM, 1Password, Doppler, GCP, Azure and more — with URI refs like vault://secret/app/DB_URL.

+Schema validation

.env.schema with types, defaults & descriptions. Drift detection, JSON Schema for autocomplete, onboarding wizard.

+TUI + CLI

Vim-style TUI with fuzzy search, grouping and masking. 130+ CLI commands with --json and --dry-run.

+8 export formats

dotenv, JSON, YAML, TOML, Docker, Docker Secrets, Kubernetes Secret, Terraform tfvars — one command.

+Workflows & audit

Profiles, snapshots, guided rotation with propagation, secure sharing, a unified check, plus SOC2 audit-trail reports.

Plugs into your stack.

Configure once, reference everywhere.

HashiCorp VaultAWS SSM1Password DopplerInfisicalGCP Secret Manager Azure Key VaultBitwardenAkeyless CyberArk ConjurMozilla SOPSpass / gopass Keeper

How EnvForge compares.

The only tool pairing comprehensive AI safety with full environment management.

EnvForgeggshielddotenvxInfisicalDopplerVarlock
AI safety tools30+32107
Pre-tool scanning
Canary secrets
Session leases + killswitch
MCP config harden
Volatile mode (no disk)
Full env management
TUI interface
13 secret providers
Encrypted sync
Zero cloud dependency

Install in 10 seconds.

Rust 1.75+ · Linux and macOS.

Or build from source: git clone https://github.com/emreerinc/envforge && cd envforge && cargo install --path .

setupcompletions · man
# shell completions (auto-install)
$ envforge completions zsh --install

# IDE-style autocomplete: carapace / inshellisense / kiro / fig
$ envforge completions carapace --install

# built-in man pages
$ envforge man            # full command index
$ envforge man fence      # a specific command