Comment by ivannovazzi

Neat framing around the AI angle. A complementary approach is removing .env files from the workflow entirely rather than masking them — so there's nothing to leak to begin with.

We built KeyEnv (https://keyenv.dev) for exactly that: the CLI pulls AES-256 encrypted secrets at runtime so .env files never exist locally. `keyenv run -- npm start` and secrets are injected as env vars, then gone.

The tradeoff is it requires a network hop and team buy-in, whereas enveil is local. Different threat models — enveil protects secrets already on disk from AI tools, KeyEnv prevents them from touching disk at all.