MCP server
How AI agents use your secrets through enveigh's MCP server: redacted by default, per-client scoped, audited, with an opt-in reveal.
enveigh-mcp is a stdio JSON-RPC MCP server that proxies to the running app's broker. It's
how Claude Code, Cursor, Codex, Windsurf, Gemini CLI, and friends use your secrets, without
the model ever receiving a plaintext value in the default configuration.

See it in motion
run_with_env and capture_secret, in a 37-second walkthrough:
Install
In the app: Settings → Integrations, then install into each detected client (or do it in one tap during onboarding). enveigh writes the MCP entry into that client's config and mints a per-client token:
{
"mcpServers": {
"enveigh": {
"command": "/Users/you/Library/Application Support/enveigh/bin/enveigh-mcp",
"env": { "ENVEIGH_MCP_TOKEN": "…minted per client…" }
}
}
}Each client's token is individually revocable, and reinstalling rotates it (old configs stop working). You can scope a client to a single environment from the Integrations pane, enforced server-side by the broker, so it holds even if the client tampers with its own env.
Tools
run_with_env(environment, command): the safe default
Runs command (an argv array) with the environment's secrets injected, and returns the
output with every secret value redacted. This is what an agent should reach for ~always.
// the agent calls:
{ "name": "run_with_env",
"arguments": { "environment": "web", "command": ["npm", "test"] } }
// it gets back (values replaced with ‹redacted›):
// exit code: 0
// --- output (secrets redacted) ---
// > test · DATABASE_URL=‹redacted› · all suites passedOutput is capped (200k chars) so a runaway command can't flood the model's context, and the
child is terminated at a timeout (default 10 minutes; ENVEIGH_MCP_TIMEOUT_SECONDS in the
client's MCP env overrides it) so a hung command can't wedge the tool call forever.
That makes this the tool for commands that finish: build, test, deploy, migrate. For a dev server or watcher, agents should background the CLI instead. See Builds & dev servers.
list_environments / list_secrets
Names only. list_secrets never returns values. A client scoped to one environment only
sees that environment's bound secrets.
import_project(directory): vault a project's keys, sight unseen
The agent sends a path; the app scans that folder's .env files and vaults any
credential-shaped keys not already in the folder's environment, bound to it. You approve via
Touch ID (the prompt names the requesting process and the exact path), and the agent gets
back key names and a summary only; values never flow toward it. Idempotent: re-running
adds only what's missing, into the same environment. Refuses / and your home directory.
The skill teaches agents the loop: run_with_env says no such environment → import_project
→ run.
capture_secret(name, value): catch a pasted key
If a user pastes a key into the chat, the agent should call this immediately. The app
shows a Touch ID confirmation ("…wants to save 'STRIPE_KEY' into your vault"). That
prompt is the user's consent. It's write-only: the agent can never read the value back.
A scoped client gets the capture bound into its environment, so the next run_with_env can
use it right away.
This pairs with the agent skill and the app's clipboard watcher to keep keys out of transcripts.
render_env(environment) / get_secret(name): opt-in reveal
These return raw plaintext to the agent, so they're hidden by default. They appear only when the client was installed with reveal enabled:
ENVEIGH_MCP_ALLOW_REVEAL=1Even then, each call passes through the app's approval policy (Touch ID) and is audited. Tell agents not to use these unless you explicitly ask them to read a value.
What the agent can and can't do
| Default | With ALLOW_REVEAL=1 | |
|---|---|---|
| Run commands with secrets injected | ✅ redacted output | ✅ |
| List environment / secret names | ✅ | ✅ |
| Capture a pasted key (write-only) | ✅ Touch-ID confirmed | ✅ |
| Read a raw value | ❌ tool not even exposed | ⚠️ Touch-ID gated + audited |
Agent skill
Installing the agent skill (Settings → Integrations → Install the agent skill) drops a
SKILL.md into your agents' skill directories. It teaches them to:
- prefer
run_with_envover fetching raw values, - never write secret values to files, logs, or messages,
- call
capture_secretthe moment a user pastes a key, then stop using the pasted value and suggest rotating it.
Try it by hand
The server speaks line-delimited JSON-RPC on stdio, so you can drive it directly:
HELPER="$HOME/Library/Application Support/enveigh/bin/enveigh-mcp"
printf '%s\n%s\n' \
'{"jsonrpc":"2.0","id":1,"method":"initialize"}' \
'{"jsonrpc":"2.0","id":2,"method":"tools/list"}' | "$HELPER"With no ENVEIGH_MCP_ALLOW_REVEAL, you'll see run_with_env, list_environments,
list_secrets, and capture_secret, and no render_env / get_secret. That's the
gate working.