enveigh docs

MCP server

How AI agents use your secrets through enveigh's MCP server: redacted by default, per-client scoped, audited, with an opt-in reveal.

enveigh-mcp is a stdio JSON-RPC MCP server that proxies to the running app's broker. It's how Claude Code, Cursor, Codex, Windsurf, Gemini CLI, and friends use your secrets, without the model ever receiving a plaintext value in the default configuration.

A live enveigh MCP JSON-RPC session: value tools hidden, run_with_env returns redacted output

See it in motion

run_with_env and capture_secret, in a 37-second walkthrough:

Install

In the app: Settings → Integrations, then install into each detected client (or do it in one tap during onboarding). enveigh writes the MCP entry into that client's config and mints a per-client token:

{
  "mcpServers": {
    "enveigh": {
      "command": "/Users/you/Library/Application Support/enveigh/bin/enveigh-mcp",
      "env": { "ENVEIGH_MCP_TOKEN": "…minted per client…" }
    }
  }
}

Each client's token is individually revocable, and reinstalling rotates it (old configs stop working). You can scope a client to a single environment from the Integrations pane, enforced server-side by the broker, so it holds even if the client tampers with its own env.

Tools

run_with_env(environment, command): the safe default

Runs command (an argv array) with the environment's secrets injected, and returns the output with every secret value redacted. This is what an agent should reach for ~always.

// the agent calls:
{ "name": "run_with_env",
  "arguments": { "environment": "web", "command": ["npm", "test"] } }

// it gets back (values replaced with ‹redacted›):
// exit code: 0
// --- output (secrets redacted) ---
// > test  ·  DATABASE_URL=‹redacted›  ·  all suites passed

Output is capped (200k chars) so a runaway command can't flood the model's context, and the child is terminated at a timeout (default 10 minutes; ENVEIGH_MCP_TIMEOUT_SECONDS in the client's MCP env overrides it) so a hung command can't wedge the tool call forever.

That makes this the tool for commands that finish: build, test, deploy, migrate. For a dev server or watcher, agents should background the CLI instead. See Builds & dev servers.

list_environments / list_secrets

Names only. list_secrets never returns values. A client scoped to one environment only sees that environment's bound secrets.

import_project(directory): vault a project's keys, sight unseen

The agent sends a path; the app scans that folder's .env files and vaults any credential-shaped keys not already in the folder's environment, bound to it. You approve via Touch ID (the prompt names the requesting process and the exact path), and the agent gets back key names and a summary only; values never flow toward it. Idempotent: re-running adds only what's missing, into the same environment. Refuses / and your home directory.

The skill teaches agents the loop: run_with_env says no such environment → import_project → run.

capture_secret(name, value): catch a pasted key

If a user pastes a key into the chat, the agent should call this immediately. The app shows a Touch ID confirmation ("…wants to save 'STRIPE_KEY' into your vault"). That prompt is the user's consent. It's write-only: the agent can never read the value back. A scoped client gets the capture bound into its environment, so the next run_with_env can use it right away.

This pairs with the agent skill and the app's clipboard watcher to keep keys out of transcripts.

render_env(environment) / get_secret(name): opt-in reveal

These return raw plaintext to the agent, so they're hidden by default. They appear only when the client was installed with reveal enabled:

ENVEIGH_MCP_ALLOW_REVEAL=1

Even then, each call passes through the app's approval policy (Touch ID) and is audited. Tell agents not to use these unless you explicitly ask them to read a value.

What the agent can and can't do

DefaultWith ALLOW_REVEAL=1
Run commands with secrets injected✅ redacted output
List environment / secret names
Capture a pasted key (write-only)✅ Touch-ID confirmed
Read a raw value❌ tool not even exposed⚠️ Touch-ID gated + audited

Agent skill

Installing the agent skill (Settings → Integrations → Install the agent skill) drops a SKILL.md into your agents' skill directories. It teaches them to:

  • prefer run_with_env over fetching raw values,
  • never write secret values to files, logs, or messages,
  • call capture_secret the moment a user pastes a key, then stop using the pasted value and suggest rotating it.

Try it by hand

The server speaks line-delimited JSON-RPC on stdio, so you can drive it directly:

HELPER="$HOME/Library/Application Support/enveigh/bin/enveigh-mcp"
printf '%s\n%s\n' \
  '{"jsonrpc":"2.0","id":1,"method":"initialize"}' \
  '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' | "$HELPER"

With no ENVEIGH_MCP_ALLOW_REVEAL, you'll see run_with_env, list_environments, list_secrets, and capture_secret, and no render_env / get_secret. That's the gate working.

On this page