Show HN: enveil – hide your .env secrets from prAIng eyes

Developer Scott has released enveil, an open-source security tool designed specifically to protect environment secrets from AI-powered coding assistants. The tool addresses a growing concern where AI tools like Claude Code, GitHub Copilot, and Cursor IDE automatically read files in project directories, potentially exposing plaintext .env files containing API keys, database credentials, other sensitive data.

Technically, enveil works by transforming .env files into symbolic references (e.g., DATABASE_URL=ev://database_url) while storing actual values in a locally encrypted vault. When developers run commands via `enveil run -- npm start`, the tool prompts for a master password, derives a 256-bit AES key using Argon2id (with 64 MB memory and 3 iterations), decrypts the local store with AES-256-GCM authentication, and injects resolved values directly into the subprocess environment. The encrypted store file contains a 12-byte random nonce followed by authenticated ciphertext, making it indistinguishable from random noise without the password.

The project was inspired by Filip Hric's 1Password-based solution but offers a self-contained alternative without third-party dependencies. Notably, enveil was built almost entirely using Claude Code itself, demonstrating the tool's practical utility. Installation is available via Cargo (Rust's package manager) or from source, requiring Rust 1.70+. Each project maintains its own encrypted store in a `.enveil/` directory that should be added to `.gitignore`.

This solution comes as developers increasingly report accidental secret exposure despite explicit instructions to AI tools. The zero-trust approach ensures secrets never exist as plaintext on disk, providing protection against both accidental leaks and intentional snooping by AI systems scanning project contexts.