envault-cli

module
v0.9.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: MIT

README

Envault

Git-backed, zero-trust secrets manager for developer teams.

Envault encrypts your API keys and tokens directly inside your existing Git repo. No central vault, no third-party trust, no .env files committed in plaintext. Private keys never leave your machine. Secrets are injected into processes in memory at runtime — never written to disk.


Why Envault

Most teams leak secrets without realising it:

  • .env files committed to repos (anyone with clone access has the keys)
  • Secrets passed over Slack, email, or copy-paste
  • A shared vault that requires trusting a third-party server

Envault is different: it uses your team's existing Git remote as the transport. Each secret is encrypted end-to-end — only team members who have been granted access can decrypt. Remove a member from the vault and they lose future access. No new infrastructure required.


Install

One-line install (macOS / Linux, amd64 / arm64) — downloads the latest signed release, verifies its checksum, and drops envault on your PATH:

curl -fsSL https://raw.githubusercontent.com/MicheleColella/envault-cli/main/scripts/install.sh | sh

Override the target with ENVAULT_VERSION=v0.9.0 or ENVAULT_INSTALL_DIR=~/.local/bin.

With Go (any platform Go supports):

go install github.com/MicheleColella/envault-cli/cmd/envault@latest

From source:

make build && sudo make install   # builds ./envault and installs to /usr/local/bin

Releases are cross-compiled in CI and published to GitHub Releases with a checksums.txt signed via keyless cosign. Windows binaries are not yet published (pending a Windows keychain backend).


Quick start

The full path from a fresh machine to using Envault both from your terminal and from Claude Code, without ever retyping a passphrase inside Claude Code. Run these in order.

1. Install the binary
curl -fsSL https://raw.githubusercontent.com/MicheleColella/envault-cli/main/scripts/install.sh | sh

Downloads the latest signed release for your platform, verifies its checksum, and puts envault on your PATH. See Install below for alternatives (go install, building from source).

envault doctor

Sanity check: confirms the binary is found and the OS keychain backend works. Recipients/secrets will show 0 until you initialise a vault — that's expected at this point.

2. Initialise a vault in your project
cd your-project
envault init

Creates .envault/ at the repo root (config, recipients, secrets.enc — all encrypted; safe, and meant, to be committed to Git).

3. Generate your identity key
envault key new --id you@example.com

Generates an X25519 keypair. The private key is sealed in your OS keychain, itself encrypted at rest under a passphrase you choose right now — remember it (a password manager, not a sticky note). The public key is added to .envault/recipients so the vault can encrypt secrets for you.

4. Add a secret
echo "sk-abc123" | envault add OPENAI_KEY

Encrypts the value with a fresh AES-256-GCM data key, wrapped to every current recipient's public key. The plaintext never touches disk — only ciphertext goes into .envault/secrets.enc.

5. Push the encrypted vault to your Git remote
envault push

Stages .envault/, commits, and pushes — only ciphertext ever leaves your machine. A teammate does steps 1–3 with their own identity, you envault key import their public key (or they key export it to you), then they run envault pull to get access.

6. Install the Claude Code plugin

Type these as Claude Code slash commands (not shell commands), in a Claude Code session opened in your project:

/plugin marketplace add MicheleColella/envault-cli
/plugin install envault@envault

This enables, for this project only:

  • The AI Privacy Shield hooks — block envault cat/export/add/set in Bash, and mask any secret value that leaks into tool output.
  • An embedded MCP server — Claude calls typed tools (envault_status, envault_run, …) instead of constructing bash commands, so there's no shell string to parse and no shell-injection surface.
  • A skill that teaches Claude the vault workflow and its rules.

Enabling the plugin is reversible (/plugin uninstall envault) and scoped per-project via .claude/settings.json (enabledPlugins) — never global by default. It calls the envault binary already on your PATH; no separate binary to install. See Claude Code plugin below for the full component breakdown.

7. Unlock the key-unlock agent — once, then Claude Code needs no passphrase
envault agent unlock

Prompts for the passphrase you chose in step 3 (interactively, like any other envault command), then hands the decrypted key to a small background agent (ssh-agent-style, listening on ~/.envault/agent.sock) that keeps it cached in memory for 8 hours by default (--ttl to change). This agent is machine-wide, not tied to this terminal or this project: it keeps running after you close the terminal, and any Claude Code session opened afterward — even from a different terminal, even for a different project where you're also a recipient — finds it automatically.

From now on, until the TTL expires: envault run/rotate/protect encrypt, push/pull rewrap, Claude Code's MCP server, and its secret-masking hook all work with no passphrase prompt and no ENVAULT_PASSPHRASE needed. Check what's unlocked with envault agent status; clear it early with envault agent lock (or agent stop to also kill the background process).

8. Use it
envault run -- npm start

or, inside Claude Code, just ask it to do something with your secrets — e.g. "run the tests with the vault secrets injected" — Claude calls the MCP tools directly, no passphrase involved.


Claude Code plugin

Envault ships as a Claude Code plugin — see step 6 above for the install commands. This section is the deeper reference for what it actually does.

The MCP server (envault mcp serve) exposes typed, JSON-Schema-validated tools (envault_status, envault_list, envault_rotate, envault_run, envault_protect, envault_push, envault_pull) so Claude calls Envault directly instead of constructing bash commands — there's no shell string to parse, so no shell-injection surface, and tool responses carry only metadata (name, algorithm, recipient count, timestamps), never a secret value. It runs headless, per Claude Code session, with no persistent daemon. Sealing a new secret (add/set) is deliberately not exposed to Claude at all, via MCP or bash — that requires a human to type it in their own terminal, or the plaintext would have to pass through the model's context first.

Since the MCP server is headless, operations needing your private key (rotate, run, protect encrypt, push/pull) normally need ENVAULT_PASSPHRASE set — or, as in step 7 above, envault agent unlock once from your own terminal so a small background agent (~/.envault/agent.sock, ssh-agent-style) supplies the key instead. This is opt-in and widens the key's exposure window in exchange for convenience; envault status/doctor always show whether it's active.

envault@envault is <plugin>@<marketplace> — both are named envault in marketplace.json.

Enabling the plugin is reversible (/plugin uninstall envault) and scoped via .claude/settings.json (enabledPlugins). The plugin is additive — the CLI installs above are still the way to use Envault from a plain terminal.

Packaging decision: the plugin's hooks call envault on your PATH; it does not bundle platform-specific binaries. Install the binary once via any method above, then enable the plugin. Run envault doctor if the hooks report the binary is missing.


Commands

Command Description Status
envault init Initialise a vault in the current repo
envault agent unlock/lock/stop/status Unlock your key into a background agent for passphrase-free use (Claude Code MCP, postuse masking)
envault key new Generate an identity key (sealed in OS keychain)
envault key list List vault recipients
envault key export Export your public key to share with teammates
envault key import Add a teammate's public key as a recipient
envault key delete Remove a recipient from the vault
envault import <file.env> Bulk-import from an existing .env file
envault data store <file> Store an arbitrary file (JSON, PEM, binary…)
envault add <KEY> Add or update a single secret
envault set <KEY> Re-seal an existing secret with a new value
envault rm <KEY> Remove a secret from the vault
envault list List all secrets (names only — no plaintext)
envault cat <KEY> Decrypt and print a single secret
envault export Decrypt all env secrets as export KEY=value
envault rotate <KEY> Re-seal a secret with a fresh key for current recipients (true revocation)
envault push Stage, commit, and push the encrypted vault
envault pull Fetch and merge the vault; report changes
envault run [--only/--except] -- <cmd> Inject secrets in memory and run a command (0 bytes to disk)
envault exec Open $SHELL with all env secrets injected
envault scan [--staged/--all] Scan for secrets (pattern rules + entropy heuristic)
envault hook install --git Install a pre-commit hook that blocks secret leaks (--uninstall to remove)
envault protect add <path> Mark a path/glob off-limits to AI agents (blocked by the Envault plugin)
envault audit log show/verify Show or verify the tamper-evident AI access log
envault mcp serve [--project <path>] [--dry-run] Start the Envault MCP server for Claude Code (JSON-RPC 2.0 over stdio); --dry-run prints the tool schemas
envault status Structured health check of the vault, hooks, and shield
envault agent-check Verify the AI-agent environment is ready (exit 1 if not)
envault doctor Diagnose install state, hooks, keychain, and Git remote (no secrets exposed)
envault uninstall [--keys] Remove the vault and Git hook (--keys also clears keychain); install.sh --uninstall removes the binary. Claude Code: /plugin uninstall envault

Add --agent-safe (alias --json) to any command for structured JSON output; in this mode cat/export refuse to print plaintext unless you pass --force.


Security model

Envault is designed so that you do not have to trust anyone except your Git remote:

  • End-to-end encryption — secrets are encrypted on your machine before they are committed. Each secret uses a random data key (AES-256-GCM) wrapped to every recipient's X25519 public key. Only recipients with a matching private key can decrypt.
  • Private keys never leave your machine — they are sealed in the OS keychain (macOS Keychain via security, Linux kernel keyring via keyctl) and are never sent anywhere.
  • Private keys are encrypted at rest — the keychain blob is itself encrypted under a passphrase-derived key (Argon2id → AES-256-GCM), so even a process that reads your keychain gets useless ciphertext without your passphrase.
  • Zero-trust remote — the Git remote only ever stores ciphertext. Even if the remote is compromised, no secrets are exposed.
  • No disk writes — secrets are decrypted in memory and injected directly into the child process. Nothing is written to a temp file.
  • Per-recipient access control — adding or removing a teammate from the vault controls who can decrypt. rotate re-seals a secret with a fresh data key for the current recipients, truly revoking a removed member.
  • Leak prevention — an optional Git pre-commit hook (envault hook install --git) scans the staged diff for .env files, private keys, and known API tokens, blocking the commit before a secret ships.
  • AI Privacy Shield — the Envault Claude Code plugin blocks AI agents from reading protected paths or running envault cat/export, masks any vault secret that appears in tool output, and records every access in a tamper-evident audit log.
  • Integrity guaranteed — ciphertext is authenticated; any tampering is detected and rejected before decryption.
  • Key-unlock agent is opt-in and clearly boundedenvault agent unlock trades the "decrypt on demand, clear immediately" norm for a decrypted key cached in memory for a bounded TTL (default 8h), so headless callers (Claude Code) can skip the passphrase. Nothing changes unless you explicitly run it; envault status/doctor always show whether it's active.

Status

Active development — the full core workflow is implemented end-to-end: init a vault, manage keys, add/import secrets, push/pull over Git, envault run -- <cmd> to inject secrets in memory, AI-agent integration (Claude Code Privacy Shield), and one-line install from signed cross-platform releases.

Milestone Status
v0.1–0.2 — Scaffold, CI, crypto core ✅ shipped
v0.3 — Vault init, key management ✅ shipped
v0.4 — Secret import, add/set/rm, list, cat/export ✅ shipped
v0.5 — Git push / pull, re-wrap & rotation, conflict merge ✅ shipped
v0.6 — Runtime injection (envault run, exec) ✅ shipped
v0.7 — Git pre-commit hook & secret detection ✅ shipped
v0.8 — Claude Code & AI agent integration (Privacy Shield) ✅ shipped
v0.9.0 — Installer & cross-platform signed releases ✅ shipped
v0.9.1 — Clean uninstall & doctor ✅ shipped
v0.9.2 — Claude Code plugin & marketplace distribution ✅ shipped
v0.9.3 — Embedded MCP server (Claude Code native protocol) ✅ shipped
v0.9.4 — Key-unlock agent (ssh-agent-style, passphrase-free Claude Code UX) ✅ shipped
v0.9.5 — Integration testing (Forgejo container E2E) ✅ shipped
v0.9.6 — Security hardening & coverage 🔜 next
v0.9.7 — Custom Git merge driver & disaster recovery planned
v1.0.0 — Stable release planned

Requirements

  • Go 1.25+
  • macOS or Linux
  • Git (any version with remote support)

Build

make build          # static binary → ./envault  (CGO_ENABLED=0)
go test ./...       # run the test suite

The binary embeds its version from the latest git tag:

./envault --version

Contributing

The project is in active development. The roadmap is managed internally. Feel free to open an issue to discuss ideas, report bugs, or ask questions.


License

MIT

Directories

Path Synopsis
cmd
envault command
internal
agent
Package agent implements a small ssh-agent-style background daemon that caches decrypted private keys in memory for a bounded TTL, so a headless process (like the MCP server Claude Code spawns) can unseal a vault secret without a passphrase prompt or ENVAULT_PASSPHRASE — as long as a human has unlocked that key from a real terminal within the TTL window.
Package agent implements a small ssh-agent-style background daemon that caches decrypted private keys in memory for a bounded TTL, so a headless process (like the MCP server Claude Code spawns) can unseal a vault secret without a passphrase prompt or ENVAULT_PASSPHRASE — as long as a human has unlocked that key from a real terminal within the TTL window.
crypto
Package crypto implements AES-256-GCM envelope encryption and X25519 key exchange for Envault secret sealing and unsealing.
Package crypto implements AES-256-GCM envelope encryption and X25519 key exchange for Envault secret sealing and unsealing.
git
Package git wraps go-git to push, pull, and inspect the vault repository.
Package git wraps go-git to push, pull, and inspect the vault repository.
hook
Package hook installs and manages integration hooks for Envault: the Git pre-commit hook (git.go), the Claude Code PreToolUse hook (claude.go), and the PreToolUse request handler that blocks sensitive commands (preuse.go).
Package hook installs and manages integration hooks for Envault: the Git pre-commit hook (git.go), the Claude Code PreToolUse hook (claude.go), and the PreToolUse request handler that blocks sensitive commands (preuse.go).
keychain
Package keychain seals and retrieves the user's X25519 private key using the OS-native secret store (Keychain on macOS, Secret Service on Linux).
Package keychain seals and retrieves the user's X25519 private key using the OS-native secret store (Keychain on macOS, Secret Service on Linux).
mcp
Package mcp implements a minimal Model Context Protocol server: JSON-RPC 2.0 framed as one message per line over stdio.
Package mcp implements a minimal Model Context Protocol server: JSON-RPC 2.0 framed as one message per line over stdio.
scan
Package scan implements the secret detection engine used by the envault pre-commit hook and the `envault scan` CLI command.
Package scan implements the secret detection engine used by the envault pre-commit hook and the `envault scan` CLI command.
ui
vault
Package vault manages the on-disk vault layout, secret records, and recipient lists stored inside the Git repository.
Package vault manages the on-disk vault layout, secret records, and recipient lists stored inside the Git repository.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL