> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AI agents

> Make AI coding agents use the Enkryptify CLI automatically instead of expecting a local .env file

AI coding agents (Claude Code, Codex, Cursor, …) run your app with whatever command they find — `npm run dev`, `pytest`, `go run .`. By default they expect a local `.env` file and have no idea your secrets live in Enkryptify, so they either fail with missing env vars or recreate a `.env` you don't want.

There are two ways to make agents pick up secrets through the Enkryptify CLI automatically. Use either one, or both together.

<Note>
  Both approaches assume the CLI is configured once. Run `ek login` and then `ek setup` in your project — see the [Quickstart](/cli/quickstart). After that, every command works without further setup.
</Note>

## Approach 1 — Bake `ek run` into your commands

Wrap the commands an agent naturally runs so secrets are injected transparently. The agent keeps calling `npm run dev` or `make test` — it just gets your Enkryptify secrets for free, without knowing Enkryptify exists.

<Tabs>
  <Tab title="Node.js">
    Wrap your scripts in `package.json` with `ek run --`:

    ```json package.json theme={"dark"}
    {
      "scripts": {
        "dev": "ek run -- next dev",
        "start": "ek run -- node server.js",
        "test": "ek run -- vitest",
        "migrate": "ek run -- drizzle-kit push"
      }
    }
    ```

    Now `npm run dev`, `pnpm dev`, and `yarn dev` all run with secrets injected — no change needed from the agent.
  </Tab>

  <Tab title="Python">
    Python has no standard script runner, so use a `Makefile` (or a `justfile`) as the entry point the agent calls:

    ```makefile Makefile theme={"dark"}
    dev:
    	ek run -- python manage.py runserver

    test:
    	ek run -- pytest

    migrate:
    	ek run -- python manage.py migrate
    ```

    Agents then run `make dev` or `make test` with secrets injected.
  </Tab>

  <Tab title="Go">
    ```makefile Makefile theme={"dark"}
    run:
    	ek run -- go run .

    test:
    	ek run -- go test ./...
    ```

    Agents then run `make run` or `make test` with secrets injected.
  </Tab>

  <Tab title="Ruby">
    ```makefile Makefile theme={"dark"}
    dev:
    	ek run -- rails server

    test:
    	ek run -- bundle exec rspec
    ```

    Agents then run `make dev` or `make test` with secrets injected.
  </Tab>

  <Tab title="Other">
    A `Makefile` works for any stack and gives agents a consistent entry point regardless of language:

    ```makefile Makefile theme={"dark"}
    dev:
    	ek run -- <your start command>

    test:
    	ek run -- <your test command>
    ```

    The same idea applies to a `justfile`, `Taskfile.yml`, shell scripts, or any task runner — just prefix the underlying command with `ek run --`.
  </Tab>
</Tabs>

<Tip>
  This is the most reliable approach because it doesn't depend on the agent reading or following instructions — the secrets are wired into the command itself.
</Tip>

## Approach 2 — Tell your agent to use `ek run`

Add a short instruction to your agent's rules file so it prefixes commands with `ek run --` and never touches `.env` files. Pick your agent below for the correct file location, then copy the prompt into it.

<Tabs>
  <Tab title="Claude Code">
    Add the following to `CLAUDE.md` in your project root (create it if it doesn't exist):

    ```markdown CLAUDE.md theme={"dark"}
    ## Secrets (Enkryptify)

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>

  <Tab title="Codex">
    Add the following to `AGENTS.md` in your project root (create it if it doesn't exist):

    ```markdown AGENTS.md theme={"dark"}
    ## Secrets (Enkryptify)

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>

  <Tab title="Cursor">
    Add the following to `.cursor/rules/enkryptify.mdc` (or the legacy `.cursorrules` file):

    ```markdown .cursor/rules/enkryptify.mdc theme={"dark"}
    ---
    description: Use the Enkryptify CLI for secrets
    alwaysApply: true
    ---

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>

  <Tab title="GitHub Copilot">
    Add the following to `.github/copilot-instructions.md` (create it if it doesn't exist):

    ```markdown .github/copilot-instructions.md theme={"dark"}
    ## Secrets (Enkryptify)

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>

  <Tab title="Windsurf">
    Add the following to `.windsurf/rules/enkryptify.md` (or the legacy `.windsurfrules` file):

    ```markdown .windsurf/rules/enkryptify.md theme={"dark"}
    ## Secrets (Enkryptify)

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>

  <Tab title="Gemini CLI">
    Add the following to `GEMINI.md` in your project root (create it if it doesn't exist):

    ```markdown GEMINI.md theme={"dark"}
    ## Secrets (Enkryptify)

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>

  <Tab title="Other">
    Most agents read an `AGENTS.md` file in your project root — it's becoming the shared standard across tools. Add the prompt there:

    ```markdown AGENTS.md theme={"dark"}
    ## Secrets (Enkryptify)

    This project's secrets and environment variables are managed by Enkryptify
    (https://enkryptify.com), not by `.env` files.

    - Never create, read, edit, or commit `.env` files, and never hardcode secret values.
    - To run any command that needs environment variables — dev server, tests, scripts,
      migrations — prefix it with `ek run --`. For example:
        - `npm run dev`  ->  `ek run -- npm run dev`
        - `pytest`       ->  `ek run -- pytest`
        - `go run .`     ->  `ek run -- go run .`
    - `ek run` fetches secrets from Enkryptify and injects them as environment variables
      for that single command only.
    - If `ek` is not set up yet, run `ek login` once, then `ek setup` inside the project.
    ```
  </Tab>
</Tabs>

<Note>
  Instructions are advisory — agents usually follow them, but not always. For a guarantee, combine this with [Approach 1](#approach-1-bake-ek-run-into-your-commands) so secrets are wired into the commands themselves.
</Note>

## Next steps

* Learn what `ek run` does in the [Commands](/cli/commands#run) reference
* See per-language run examples in the [Developer onboarding](/resources/developer-onboarding) guide
