AI agent
Receives status, key names, and the next action — not plaintext or child-process output.
Ask once in chat. manage-env generates what it can, collects provider keys through your local terminal, syncs approved CI targets, and runs the app — returning only status and key names.
You
Set up this repo's env. Generate what you can, ask me only for provider keys, then run the app.
AI agent
I'll handle it with local manage-env tools. Values stay out of chat and tool results.
setup_project
4 generated locally · 2 config defaults ready
request_value_from_user
Local prompt · STRIPE_SECRET_KEY, DATABASE_URL
sync_to_target
GitHub Actions synced · key names only
run_with_secrets
App exited 0 · 1.8s · no process output returned
The agent sees statuses, key names, and next steps — never a secret value.
What goes where
Receives status, key names, and the next action — not plaintext or child-process output.
Decrypts locally and injects only when a process or an approved sync target needs the value.
Stores ciphertext, wrapped keys, and value-free metadata that it cannot turn into plaintext.
MCP tools inject secrets into a child process and return only exit codes and key names. There is no get-secret tool — by design, a value can't travel back through a tool result.
Values are decrypted client-side and sent only to the local process or provider you explicitly approved. Our server stores encrypted data it cannot decrypt.
Diff, history, and sync status run on keyed fingerprints, not plaintext. We compare versions without ever seeing a value.
Don't take our word for it. See encryption run in your own browser.
XChaCha20-Poly1305 · Argon2id · end-to-end encrypted
One-time setup
Use the terminal for the first trust setup and local prompts. After that, the main interface is the AI request in your editor.
Your AI can discover required keys, initialize the project, and set up what is safe to create automatically.
run_with_secrets injects values into the process and returns only status, duration, and key names.
Sync to GitHub Actions, Vercel, or Cloudflare only after committed target declarations and human trust approval.
$menv signup
$menv connect
$menv init me/my-app
Tell your AI
Set up this repo with manage-env. Generate safe random/config values, ask me locally for provider-issued secrets, sync trusted CI targets, then run the app without returning secret values.
Create an account, connect your first repo, and give your agent one clear instruction.