How to use
From install to your first agent run
enveigh is a Mac app. You manage keys in a clean, native UI; your agents reach them through a local, token-gated broker that only runs while the vault is unlocked.
the 40-second tour · silent, captions on screen
Install & unlock
Open enveigh and unlock with Touch ID. The vault is locked by default and locks again whenever you choose — the agent broker only runs while it's open.
Import your keys
Point enveigh at a project folder. It scans for .env files and imports the credential-shaped values (skipping config like PORT or NODE_ENV) straight into the Keychain. Or add secrets by hand.
Build an environment
Group secrets into an environment (e.g. production, staging) by binding each to an ENV_VAR name. That's what gets rendered or injected later.
Connect your agents
In Settings → Integrations, install the enveigh MCP server into the AI clients you use. Each gets its own scoped token. You can limit a client to a single environment — enforced by the broker, not the client.
Run with an environment
Use the in-app Run panel (⌘R) or have your agent call run_with_env. Your command runs with the secrets injected as env vars; the output is redacted and nothing is written to disk.
The secure default
The whole point is that the easy path is the safe one. Value-returning tools (render_env, get_secret) are off by default — an agent can get a working environment via run_with_env without a single key ever appearing in its context. When you do need plaintext, it's Touch-ID gated and written to the audit log first.
For agents (MCP)
The bundled enveigh-mcp helper speaks JSON-RPC over stdio. Your client config looks like:
Without ENVEIGH_MCP_ALLOW_REVEAL, the value tools are hidden entirely — run_with_env still works, so agents stay productive without ever receiving a key.