A new Rust tool called enveil aims to solve a growing security problem: AI coding assistants like Claude Code and GitHub Copilot can accidentally expose your environment secrets by reading plaintext `.env` files. The tool encrypts secrets locally and injects them directly into applications at runtime, ensuring they never touch disk as readable text.

Developed by GreatScott, enveil stores encrypted secrets in a per-project local database and replaces `.env` references with `ev://` URIs. When you run `enveil run -- npm start`, it prompts for a master password, decrypts the store using AES-256-GCM with Argon2id key derivation, and injects resolved values into the subprocess environment. The approach prevents secrets from appearing in shell history, process listings, or accidentally being read by AI tools.

The tool draws inspiration from Filip Hric's 1Password-based solution but offers a self-contained alternative that doesn't rely on third-party services. With 31 automated tests verifying security claims—including that secrets never appear as plaintext on disk and that wrong passwords return errors—enveil provides a practical defense against the increasing risk of AI-assisted secret exposure in development workflows.