25 AI safety tools · Rust · source-available · VS Code, IntelliJ, Neovim, Zed

Your secrets aren’t safe from AI.

EnvForge is the environment-variable manager built to protect secrets from AI coding agents — not just store them. Fence the files, intercept the tool calls, run with secrets sealed in memory, and trip a canary if anything leaks. One Rust CLI, a TUI, and a Language Server that lights up your editor.

★ Star on GitHub
25 AI safety tools 13 secret providers 100+ commands 2,400+ tests passing

Four moves. Total coverage.

EnvForge isn’t a vault you push to and forget. It’s a defense pipeline you run as you work — fence, guard, run, watch.

1.0

FENCE

Block AI tools from ever reading your secrets, then hand them context without values — types and names from an inferred schema, never the credentials themselves.

fenceprevention
# block Cursor, Copilot & Claude Code at the file level
$ envforge fence
  created .envforgeignore · .cursorignore · .claude/settings.json

# give the agent context — names & types, no values
$ envforge schema emit-ai --infer --output .env.ai.md
  wrote .env.ai.md (42 variables, 0 values)
2.0

GUARD

Wire EnvForge into the agent’s tool loop and your git hooks. Every read and every commit is scanned before it lands; leaked credentials in MCP configs get rewritten to ${VAR} references.

guardprevention · remediation
# PreToolUse + PostToolUse hooks in the agent
$ envforge ai-hook install claude-code
  hooks installed: PreToolUse + PostToolUse

$ envforge scan --install-hook
  pre-commit hook installed

$ envforge mcp harden
  2 credentials found  replaced with ${VAR}
3.0

RUN

Execute your app with secrets resolved in memory only and masked in every log line. Scope access to a time-boxed lease — and revoke everything instantly if something feels wrong.

runruntime
# volatile = never on disk · redact = masked output
$ envforge run --volatile --redact -- npm start
  connecting to [REDACTED:DB_PASSWORD]@host…
  server running on :3000

$ envforge lease create --ttl 1h --keys DB_URL,API_KEY
$ envforge revoke --all
  KILLSWITCH: 3 leases revoked
4.0

WATCH

Plant honeypot canaries that alert on exfiltration, audit git history for AI-assisted leaks, and map what breaks before you rotate. Detection and governance, not just prevention.

watchdetection · governance
# honeypot credential — tripwire on read/exfil
$ envforge canary create STRIPE_KEY
  canary planted · monitoring enabled

$ envforge audit --ai-leaks
  scanned 1,204 commits · 0 AI-assisted leaks

$ envforge deps DB_URL
  3 services depend on this secret

See the danger in your editor.

EnvForge ships a Language Server and first-party VS Code, IntelliJ, Neovim & Zed plugins. The AI-exposure story lives where you write code — not buried in a CLI.

  • Exposure heatmap — a colored dot in the gutter on every env-var line. The classification is byte-identical to the CLI.
  • Canary tripwire glyphs — a shield replaces the dot when a canary is registered. Hover for status.
  • Status-bar trio — variable count, fence shield (AI BLOCKED / AI ALLOWED), and a live volatile-lease countdown.
  • Source-language goto-definition — ctrl-click process.env.X, os.environ["X"], std::env::var("X") across 11 languages, land on the schema entry.
  • MCP config linter — credential patterns flagged inline in .cursor/mcp.json, .claude/settings.json and friends.
  • One-key quick-fixes — plant a canary, mark as secret, generate .env from schema, swap in a secret reference.
Gutter heatmap — what the dots mean
REDplaintext, readable by AI agents right now
AMBERsensitive — will be redacted by AI-guard
GREENfenced — the agent can’t reach it

All first-party plugins are thin clients over envforge lsp — same backend, contract-locked parity. Also works LSP-only in Helix, Emacs, Sublime Text, Kakoune & Lapce.

27 tools. Six layers.

From prevention to governance — the most comprehensive AI-agent secret protection of any CLI.

LayerToolCommandWhat it does
PreventionSecret Fenceenvforge fenceIgnore rules for Cursor, Copilot, Claude Code
PreventionFence Statusfence --statusVerify ignore rules are active
PreventionFence Targetsfence configChoose which AI tools the fence covers
PreventionPre-Commit Hookscan --install-hookBlock commits containing secrets
Prevention3-Stage AI Guardai-guard pre-toolScan before & after AI tool execution
PreventionAI Hooksai-hook installPreToolUse + PostToolUse hooks
PreventionHook Statusai-hook statusCheck which tools have active hooks
PreventionFile Alertsbuilt-inWarn on .env, .pem, .ssh/ access
RuntimeVolatile Moderun --volatileSecrets in memory only — never on disk
RuntimeLog Redactionrun --redactMask secrets in subprocess output
RuntimeCredential Proxyproxy --port 8100HTTP API with allowlist + audit
RuntimeSession Leaseslease create --ttlTime-bounded secret access
RuntimeKillswitchrevoke --allInstantly revoke all active leases
ContextAI-Safe Schemaschema emit-aiTypes & names without values
ContextSafe Exportexport --safeRedacted [REDACTED] values
ContextIgnore File.envforgeignoreMark files AI tools should skip
RemediationMCP Scanmcp statusFind creds in AI tool configs
RemediationMCP Hardenmcp hardenAuto-replace with ${VAR} references
RemediationPrompt Sanitizersanitize FILEStrip secrets from any file
DetectionCanary Secretscanary createHoneypot credentials — alert on exfiltration
DetectionAI Leak Auditaudit --ai-leaksScan git for AI-assisted leaks
DetectionAccess Auditaudit --accessJSONL log of proxy access
GovernanceApproval Flow--require-approvalHuman approves each secret access
GovernanceDependency Mapdeps KEY --sourceWhat breaks if this secret rotates?
GovernanceExternal Scannerscanner testMulti-scanner pipeline (Lakera, ggshield)
GovernanceSession Scopingsession start --ttlPer-AI-tool scoping with auto-detection
GovernanceLifecycle Automationlifecycle checkRule-based create / rotate / decommission
GovernanceAnalyticsanalytics unusedDormant-secret detection & retention

Beyond AI safety.

A complete environment-variable manager underneath — 100+ commands, no migration required.

+Encrypted sync

Git-based cross-machine sync with age (X25519) encryption. Selective keys, machine overrides, rollback, offline-first. Your env vars are ciphertext in the repo.

+13 secret providers

Pull, push and reference across Vault, AWS SSM, 1Password, Doppler, GCP, Azure and more — with URI refs like vault://secret/app/DB_URL.

+Schema validation

.env.schema with types, defaults & descriptions. Drift detection, JSON Schema for autocomplete, onboarding wizard.

+TUI + CLI

Vim-style TUI with fuzzy search, grouping and masking. 100+ CLI commands with --json and --dry-run.

+8 export formats

dotenv, JSON, YAML, TOML, Docker, Docker Secrets, Kubernetes Secret, Terraform tfvars — one command.

+Workflows & audit

Profiles, snapshots, guided rotation with propagation, secure sharing, a unified check, plus SOC2 audit-trail reports.

Plugs into your stack.

Configure once, reference everywhere.

HashiCorp VaultAWS SSM1Password DopplerInfisicalGCP Secret Manager Azure Key VaultBitwardenAkeyless CyberArk ConjurMozilla SOPSpass / gopass Keeper

How EnvForge compares.

The only tool pairing comprehensive AI safety with full environment management.

EnvForgeggshielddotenvxInfisicalDopplerVarlock
AI safety tools2732107
Pre-tool scanning
Canary secrets
Session leases + killswitch
MCP config harden
Volatile mode (no disk)
Full env management
TUI interface
13 secret providers
Encrypted sync
Zero cloud dependency

Install in 10 seconds.

Rust 1.75+ · Linux and macOS.

Or build from source: git clone https://github.com/emreerinc/envforge && cd envforge && cargo install --path .

setupcompletions · man
# shell completions (auto-install)
$ envforge completions zsh --install

# IDE-style autocomplete: carapace / inshellisense / kiro / fig
$ envforge completions carapace --install

# built-in man pages
$ envforge man            # full command index
$ envforge man fence      # a specific command