A CLI proxy that redacts .env secrets before AI coding agents read project files, so credentials never enter LLM context
AI coding agents like Claude Code, Cursor, and GitHub Copilot automatically read every project file during sessions, silently loading .env API keys, tokens, and database passwords into LLM context. GitGuardian's 2026 report found 28.65M secrets leaked on GitHub in 2025, with AI-service leaks up 81%. This is a CLI-native zero-trust proxy that intercepts file reads from any coding agent, redacts credential values from .env and config files on the fly, and injects opaque placeholders that still satisfy the agent's reasoning without exposing raw secrets.
Demand Breakdown
Social Proof 3 sources
Gap Assessment
5 tools exist (HashiCorp Vault, Doppler, Infisical Agent Vault, dotenvx, GitGuardian ggshield) but gaps remain: Zero awareness of AI coding agent context. Vault injects secrets into env vars at process start, which means Claude Code/Cursor still read them as plaintext from .env or process environment. No .env-file interception layer, no prompt-injection defense, no per-agent session isolation.; Same gap as Vault: injects values into the environment before agent session starts, so the agent sees plaintext values in process env. No interception of file reads, no agent-context redaction, no MCP integration for coding agents..
Features7 agent-ready prompts
Competitive LandscapeFREE
| Product | Does | Missing |
|---|---|---|
| HashiCorp Vault | Enterprise-grade secrets manager with dynamic credential generation, lease TTLs, audit logging, and fine-grained access policies. Industry standard for production infrastructure secrets. | Zero awareness of AI coding agent context. Vault injects secrets into env vars at process start, which means Claude Code/Cursor still read them as plaintext from .env or process environment. No .env-file interception layer, no prompt-injection defense, no per-agent session isolation. |
| Doppler | Managed secrets sync platform. CLI and SDK inject secrets as env vars into running processes. Widely used for CI/CD pipelines and app config. | Same gap as Vault: injects values into the environment before agent session starts, so the agent sees plaintext values in process env. No interception of file reads, no agent-context redaction, no MCP integration for coding agents. |
| Infisical Agent Vault | Open-source HTTP credential proxy specifically for AI agents. Routes outbound API calls through a vault so agents never need raw keys for external service calls. 1.6k GitHub stars, described as research preview. | Covers only outbound HTTP calls the agent makes. Does not intercept .env file reads within the agent's local context window. No CLI wrapper for VS Code/Cursor/Claude Code file-system access. No support for database connection strings, SSH keys, or arbitrary config files beyond API calls. |
| dotenvx | Encrypted .env files using ECIES + AES-256 public-key cryptography. Commit encrypted secrets to git; decrypt at runtime with a private key. 5.5k stars, 6.5M weekly npm installs. | The private key decrypts the file at process start and the values land in process env. Claude Code reads process env as context. No runtime redaction layer. A compromised or prompt-injected agent still exfiltrates the decrypted value. |
| GitGuardian ggshield | Pre-commit hook and CI scanner that detects secrets before they land in repos. Extended in 2026 to intercept AI coding tool context. | Pre-commit detection catches secrets in code commits, not in live agent sessions. Does not intercept .env reads during a Claude Code or Cursor session. Reactive (flags after the fact) rather than preventive (blocks the read). |
Leads34BUILDER
Sign in to unlock full access.