Documentation Index
Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
Use this file to discover all available pages before exploring further.
AI coding agents (Claude Code, Codex, Cursor, …) run your app with whatever command they find — npm run dev, pytest, go run .. By default they expect a local .env file and have no idea your secrets live in Enkryptify, so they either fail with missing env vars or recreate a .env you don’t want.
There are two ways to make agents pick up secrets through the Enkryptify CLI automatically. Use either one, or both together.
Both approaches assume the CLI is configured once. Run ek login and then ek setup in your project — see the Quickstart. After that, every command works without further setup. Approach 1 — Bake ek run into your commands
Wrap the commands an agent naturally runs so secrets are injected transparently. The agent keeps calling npm run dev or make test — it just gets your Enkryptify secrets for free, without knowing Enkryptify exists.
Node.js
Python
Go
Ruby
Other
Wrap your scripts in package.json with ek run --:{
"scripts": {
"dev": "ek run -- next dev",
"start": "ek run -- node server.js",
"test": "ek run -- vitest",
"migrate": "ek run -- drizzle-kit push"
}
}
npm run dev, pnpm dev, and yarn dev all run with secrets injected — no change needed from the agent. Python has no standard script runner, so use a Makefile (or a justfile) as the entry point the agent calls:dev:
ek run -- python manage.py runserver
test:
ek run -- pytest
migrate:
ek run -- python manage.py migrate
make dev or make test with secrets injected. run:
ek run -- go run .
test:
ek run -- go test ./...
make run or make test with secrets injected.dev:
ek run -- rails server
test:
ek run -- bundle exec rspec
make dev or make test with secrets injected.A Makefile works for any stack and gives agents a consistent entry point regardless of language:dev:
ek run -- <your start command>
test:
ek run -- <your test command>
justfile, Taskfile.yml, shell scripts, or any task runner — just prefix the underlying command with ek run --. This is the most reliable approach because it doesn’t depend on the agent reading or following instructions — the secrets are wired into the command itself.
Approach 2 — Tell your agent to use ek run
Add a short instruction to your agent’s rules file so it prefixes commands with ek run -- and never touches .env files. Pick your agent below for the correct file location, then copy the prompt into it.
Claude Code
Codex
Cursor
GitHub Copilot
Windsurf
Gemini CLI
Other
Add the following to CLAUDE.md in your project root (create it if it doesn’t exist):## Secrets (Enkryptify)
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Add the following to AGENTS.md in your project root (create it if it doesn’t exist):## Secrets (Enkryptify)
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Add the following to .cursor/rules/enkryptify.mdc (or the legacy .cursorrules file):.cursor/rules/enkryptify.mdc
---
description: Use the Enkryptify CLI for secrets
alwaysApply: true
---
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Add the following to .github/copilot-instructions.md (create it if it doesn’t exist):.github/copilot-instructions.md
## Secrets (Enkryptify)
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Add the following to .windsurf/rules/enkryptify.md (or the legacy .windsurfrules file):.windsurf/rules/enkryptify.md
## Secrets (Enkryptify)
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Add the following to GEMINI.md in your project root (create it if it doesn’t exist):## Secrets (Enkryptify)
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Most agents read an AGENTS.md file in your project root — it’s becoming the shared standard across tools. Add the prompt there:## Secrets (Enkryptify)
This project's secrets and environment variables are managed by Enkryptify
(https://enkryptify.com), not by `.env` files.
- Never create, read, edit, or commit `.env` files, and never hardcode secret values.
- To run any command that needs environment variables — dev server, tests, scripts,
migrations — prefix it with `ek run --`. For example:
- `npm run dev` -> `ek run -- npm run dev`
- `pytest` -> `ek run -- pytest`
- `go run .` -> `ek run -- go run .`
- `ek run` fetches secrets from Enkryptify and injects them as environment variables
for that single command only.
- If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
Instructions are advisory — agents usually follow them, but not always. For a guarantee, combine this with Approach 1 so secrets are wired into the commands themselves. Next steps
