● 25 AI safety tools · Rust · source-available · VS Code, IntelliJ, Neovim, Zed
Your secrets aren’t safe from AI.
EnvForge is the environment-variable manager built to protect secrets from AI coding agents — not just store them. Fence the files, intercept the tool calls, run with secrets sealed in memory, and trip a canary if anything leaks. One Rust CLI, a TUI, and a Language Server that lights up your editor.
Four moves. Total coverage.
EnvForge isn’t a vault you push to and forget. It’s a defense pipeline you run as you work — fence, guard, run, watch.
FENCE
Block AI tools from ever reading your secrets, then hand them context without values — types and names from an inferred schema, never the credentials themselves.
# block Cursor, Copilot & Claude Code at the file level $ envforge fence created .envforgeignore · .cursorignore · .claude/settings.json # give the agent context — names & types, no values $ envforge schema emit-ai --infer --output .env.ai.md wrote .env.ai.md (42 variables, 0 values)
GUARD
Wire EnvForge into the agent’s tool loop and your git hooks. Every read and every commit is scanned before it lands; leaked credentials in MCP configs get rewritten to ${VAR} references.
# PreToolUse + PostToolUse hooks in the agent $ envforge ai-hook install claude-code hooks installed: PreToolUse + PostToolUse $ envforge scan --install-hook pre-commit hook installed $ envforge mcp harden 2 credentials found → replaced with ${VAR}
RUN
Execute your app with secrets resolved in memory only and masked in every log line. Scope access to a time-boxed lease — and revoke everything instantly if something feels wrong.
# volatile = never on disk · redact = masked output $ envforge run --volatile --redact -- npm start connecting to [REDACTED:DB_PASSWORD]@host… server running on :3000 $ envforge lease create --ttl 1h --keys DB_URL,API_KEY $ envforge revoke --all KILLSWITCH: 3 leases revoked
WATCH
Plant honeypot canaries that alert on exfiltration, audit git history for AI-assisted leaks, and map what breaks before you rotate. Detection and governance, not just prevention.
# honeypot credential — tripwire on read/exfil $ envforge canary create STRIPE_KEY canary planted · monitoring enabled $ envforge audit --ai-leaks scanned 1,204 commits · 0 AI-assisted leaks $ envforge deps DB_URL 3 services depend on this secret
See the danger in your editor.
EnvForge ships a Language Server and first-party VS Code, IntelliJ, Neovim & Zed plugins. The AI-exposure story lives where you write code — not buried in a CLI.
- Exposure heatmap — a colored dot in the gutter on every env-var line. The classification is byte-identical to the CLI.
- Canary tripwire glyphs — a shield replaces the dot when a canary is registered. Hover for status.
- Status-bar trio — variable count, fence shield (
AI BLOCKED/AI ALLOWED), and a live volatile-lease countdown. - Source-language goto-definition — ctrl-click
process.env.X,os.environ["X"],std::env::var("X")across 11 languages, land on the schema entry. - MCP config linter — credential patterns flagged inline in
.cursor/mcp.json,.claude/settings.jsonand friends. - One-key quick-fixes — plant a canary, mark as secret, generate
.envfrom schema, swap in a secret reference.
REDplaintext, readable by AI agents right nowAMBERsensitive — will be redacted by AI-guardGREENfenced — the agent can’t reach itAll first-party plugins are thin clients over envforge lsp — same backend, contract-locked parity. Also works LSP-only in Helix, Emacs, Sublime Text, Kakoune & Lapce.
27 tools. Six layers.
From prevention to governance — the most comprehensive AI-agent secret protection of any CLI.
| Layer | Tool | Command | What it does |
|---|---|---|---|
| Prevention | Secret Fence | envforge fence | Ignore rules for Cursor, Copilot, Claude Code |
| Prevention | Fence Status | fence --status | Verify ignore rules are active |
| Prevention | Fence Targets | fence config | Choose which AI tools the fence covers |
| Prevention | Pre-Commit Hook | scan --install-hook | Block commits containing secrets |
| Prevention | 3-Stage AI Guard | ai-guard pre-tool | Scan before & after AI tool execution |
| Prevention | AI Hooks | ai-hook install | PreToolUse + PostToolUse hooks |
| Prevention | Hook Status | ai-hook status | Check which tools have active hooks |
| Prevention | File Alerts | built-in | Warn on .env, .pem, .ssh/ access |
| Runtime | Volatile Mode | run --volatile | Secrets in memory only — never on disk |
| Runtime | Log Redaction | run --redact | Mask secrets in subprocess output |
| Runtime | Credential Proxy | proxy --port 8100 | HTTP API with allowlist + audit |
| Runtime | Session Leases | lease create --ttl | Time-bounded secret access |
| Runtime | Killswitch | revoke --all | Instantly revoke all active leases |
| Context | AI-Safe Schema | schema emit-ai | Types & names without values |
| Context | Safe Export | export --safe | Redacted [REDACTED] values |
| Context | Ignore File | .envforgeignore | Mark files AI tools should skip |
| Remediation | MCP Scan | mcp status | Find creds in AI tool configs |
| Remediation | MCP Harden | mcp harden | Auto-replace with ${VAR} references |
| Remediation | Prompt Sanitizer | sanitize FILE | Strip secrets from any file |
| Detection | Canary Secrets | canary create | Honeypot credentials — alert on exfiltration |
| Detection | AI Leak Audit | audit --ai-leaks | Scan git for AI-assisted leaks |
| Detection | Access Audit | audit --access | JSONL log of proxy access |
| Governance | Approval Flow | --require-approval | Human approves each secret access |
| Governance | Dependency Map | deps KEY --source | What breaks if this secret rotates? |
| Governance | External Scanner | scanner test | Multi-scanner pipeline (Lakera, ggshield) |
| Governance | Session Scoping | session start --ttl | Per-AI-tool scoping with auto-detection |
| Governance | Lifecycle Automation | lifecycle check | Rule-based create / rotate / decommission |
| Governance | Analytics | analytics unused | Dormant-secret detection & retention |
Beyond AI safety.
A complete environment-variable manager underneath — 100+ commands, no migration required.
+Encrypted sync
Git-based cross-machine sync with age (X25519) encryption. Selective keys, machine overrides, rollback, offline-first. Your env vars are ciphertext in the repo.
+13 secret providers
Pull, push and reference across Vault, AWS SSM, 1Password, Doppler, GCP, Azure and more — with URI refs like vault://secret/app/DB_URL.
+Schema validation
.env.schema with types, defaults & descriptions. Drift detection, JSON Schema for autocomplete, onboarding wizard.
+TUI + CLI
Vim-style TUI with fuzzy search, grouping and masking. 100+ CLI commands with --json and --dry-run.
+8 export formats
dotenv, JSON, YAML, TOML, Docker, Docker Secrets, Kubernetes Secret, Terraform tfvars — one command.
+Workflows & audit
Profiles, snapshots, guided rotation with propagation, secure sharing, a unified check, plus SOC2 audit-trail reports.
Plugs into your stack.
Configure once, reference everywhere.
How EnvForge compares.
The only tool pairing comprehensive AI safety with full environment management.
| EnvForge | ggshield | dotenvx | Infisical | Doppler | Varlock | |
|---|---|---|---|---|---|---|
| AI safety tools | 27 | 3 | 2 | 1 | 0 | 7 |
| Pre-tool scanning | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Canary secrets | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Session leases + killswitch | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| MCP config harden | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Volatile mode (no disk) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Full env management | ✓ | ✕ | ✓ | ✓ | ✓ | ✓ |
| TUI interface | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| 13 secret providers | ✓ | ✕ | ✕ | ✓ | ✓ | ✓ |
| Encrypted sync | ✓ | ✕ | ✓ | ✓ | ✓ | ✕ |
| Zero cloud dependency | ✓ | ✕ | ✓ | ✕ | ✕ | ✓ |
Install in 10 seconds.
Rust 1.75+ · Linux and macOS.
# shell completions (auto-install) $ envforge completions zsh --install # IDE-style autocomplete: carapace / inshellisense / kiro / fig $ envforge completions carapace --install # built-in man pages $ envforge man # full command index $ envforge man fence # a specific command