enveigh docs

CLI reference

The enveigh command line — run commands with secrets injected, render .envs, and fetch values, all through the running app.

The enveigh CLI doesn't open the vault itself — it talks to the running, unlocked app over a local broker socket. That's deliberate: there is exactly one process on your Mac that can touch the Keychain (the app), one approval policy, and one audit log, no matter which tool is asking.

Install

The app installs the CLI for you: Settings → Integrations → Install the enveigh CLI, or during onboarding. It symlinks into /usr/local/bin (or ~/.local/bin).

enveigh            # no args → prints usage

If any command reports enveigh app is not running or is locked — open the app and unlock it. That's the only prerequisite.

Commands

enveigh list

Lists your environments (the projects you imported or created), one per line.

$ enveigh list
api · staging
api · production
web

enveigh secrets

Lists secret names only — never values.

$ enveigh secrets
ANTHROPIC_API_KEY
DATABASE_URL
STRIPE_SECRET_KEY

enveigh run --env <environment> -- <command…> (the one you want)

Runs a command with the environment's secrets injected as environment variables. The secrets exist inside the child process — they're never echoed, never written to disk, and never touch your shell history.

enveigh run --env web -- npm test
enveigh run --env "api · production" -- ./migrate.sh
enveigh run --env web -- npx prisma db push

Notes:

  • Everything after -- is the command, verbatim.
  • Credential-shaped variables inherited from your shell are stripped before the vault's values are injected — a stray export OPENAI_API_KEY=… in your profile can't ride along.
  • The child's exit code becomes enveigh run's exit code, so it composes with CI scripts.

enveigh env <environment>

Prints the rendered .env (with real values) to stdout. Useful for piping — but prefer run wherever possible, since a rendered file is plaintext again.

enveigh env web > .env.local        # if a tool truly needs the file

enveigh get <secret>

Prints a single secret's value.

DATABASE_URL=$(enveigh get DATABASE_URL) some-tool

Approval prompts

env, get, and run return values, so they pass through the app's approval policy (Settings → General → Agent access):

PolicyWhat happens on a CLI request
Touch ID per requestPrompt every time
Touch ID once per environment (default)One prompt per environment per session
Unlocked = allowedNo prompt while the app is unlocked

The prompt names the actual requesting process chain (e.g. enveigh ← zsh ← Terminal), read from the kernel — a process can't lie about who it is. Every value access is also written to the Audit log in the app before the value is released.

Exit codes & scripting

  • 0 on success; run forwards the child's exit code.
  • Errors print to stderr and exit 1, so set -e scripts stop cleanly.
  • Output of list/secrets is plain lines — grep/xargs friendly.
# rotate-and-redeploy, with secrets never touching the script:
enveigh run --env production -- sh -c 'npm run build && npm run deploy'

Quickstart

From download to your first agent run in about five minutes.

MCP server

How AI agents use your secrets through enveigh's MCP server — redacted by default, per-client scoped, audited, with an opt-in reveal.

On this page

InstallCommandsenveigh listenveigh secretsenveigh run --env <environment> -- <command…> (the one you want)enveigh env <environment>enveigh get <secret>Approval promptsExit codes & scripting