# manage-env (menv) > Zero-knowledge environment-variable vault with a CLI and a local MCP server. > AI agents set up and use secrets without ever seeing values: tools inject > secrets into processes and return only status and key names. There is no > tool that returns a secret value, by design. ## Instructions manage-env is a zero-knowledge secrets manager for env vars. Secret VALUES must never enter your context, the chat, or any log - and you never need them to. Follow these steps in order. ### 1. Confirm the CLI is available Run `menv --version`. If the command is missing, tell the human to install the public macOS/Linux CLI with: `curl -fsSL https://manage-env.com/install | sh` After installation, ask them to add `$HOME/.local/bin` to PATH if needed and run `menv --version` again. Do not send them to the private GitHub repository. ### 2. Human-only step - ask the user to run this in THEIR terminal - `menv signup` (or `menv login` if they have an account) - the email code and password are entered at their terminal, never in chat. Wait until the user confirms they are signed in. ### 3. Connect the repo yourself Run `menv connect` from the repository root - it registers the local menv MCP server for your client and writes the full agent guide into AGENTS.md. It only touches repo-local files and never sees a secret value. Afterwards, reload MCP servers (or ask the human to restart their AI tool) so the menv tools load. ### 4. Agent steps (menv MCP tools) - Start with `detect_required_keys` (scans .env.example; works before init). - If this directory is not bound to a project, call `init_project` - and if the `org/project` address is not already clear, ask the human for it instead of inventing one. - Call `setup_project` to mint random secrets, keypairs, and config defaults in one version. Treat `needs_user` as the only list of decisions to bring back to the human. - Externally-issued keys (STRIPE_*, DATABASE_URL, cloud creds): `request_value_from_user` - the human pastes the value at their own terminal. NEVER ask for a secret value in chat. - Run anything that needs secrets with `run_with_secrets` (CLI: `menv run -- `). - When a result reports `stale_sync_targets`, re-sync each one with `sync_to_target`. ### Hard rules - Never `cat .env`, `printenv`, or log `process.env` - reading a value defeats the whole point and is treated as an incident. - There is no tool that returns a secret value, by design. Do not try to reconstruct values by any other route. - Do not run `menv run --yes` on the human's behalf; confirmation prompts exist for them, not you. Full tool discipline: AGENTS.md after `menv connect`, or https://manage-env.com/llms.txt ## Docs - [Getting started](https://manage-env.com/guide): install the CLI, connect your AI tool, and hand the env setup to your agent ## Optional - [Web dashboard](https://manage-env.com/login): value-free view of projects, versions, and access history