enveigh Get early access

Native macOS · secrets vault

Keys in one place.
Out of your projects.

enveigh keeps your team's secrets in a local, encrypted vault on your Mac — and streams them to your coding agents at runtime, so they never touch a repo, a config file, or disk. Agents use your keys without ever seeing them.

Get early access See how it works

macOS 26+ · Apple Silicon & Intel · in private beta · no telemetry

The enveigh vault — your secrets with rotation status, on macOS
Native macOS appEncrypted local vaultKeychain-backedAudit log on every read

Why enveigh

Your agents are powerful. Your keys shouldn't be lying around for them.

Every .env in your repo is a key waiting to leak — into a commit, a log, a paste, an agent's context window. enveigh keeps the values somewhere agents can reach but never read.

Local, encrypted vault

Values live in the macOS Keychain (device-only, unlock-gated). Only non-secret metadata is stored on disk. Nothing syncs to a cloud you don't control.

Use, don't see

Agents run your commands with secrets injected as environment variables, redacted from everything they read back. The model never receives a plaintext key.

Agent-native

An embedded MCP server and CLI let Claude Code, Cursor, and friends run_with_env — a working environment, zero keys in the transcript.

Touch ID gated

Revealing or copying a value takes a fingerprint. The local broker only runs while the vault is unlocked, and every client gets its own scoped token.

Rotation & history

Rotate a key and the old version is retired with a grace window so you can roll back. Expiry reminders surface keys that are going stale.

Audited & honest

Every reveal, render, export, and agent access is written to a local audit log — before the value ever leaves the app.

Watch · 35 seconds

Why enveigh exists

silent · captions on screen

For your agents

A working environment, without the keys

Point an agent at an environment and it gets everything it needs to build, test, and deploy — with the values hidden the whole way through.

# the agent asks enveigh to run a command with an environment injected $ enveigh run --env production -- npm run deploy # secrets are present as env vars inside the process, # and redacted from everything the agent reads back: DATABASE_URL=<redacted> STRIPE_SECRET_KEY=<redacted> ✓ deployed — exit 0

run_with_env

Run a command with an environment's secrets injected. Output redacted. The preferred path — the agent never holds a value.

list_environments

Discover which environments exist and what they bind — names only, never values.

render_env

When you really need the file, render a full .env — off by default, Touch-ID gated, and audited every time.

Stop pasting keys into terminals.

enveigh is in private beta for macOS. Request access and we'll send you a notarized build as soon as it's ready.

Get early access See screenshots

macOS 26+ · Apple Silicon & Intel · auto-updating · no telemetry