Introduction
hushenv is a local secret manager built for a world where AI coding agents read your project folder. Instead of keeping secrets in your .env file, hushenv keeps references there and stores the real values encrypted in a local vault.
# .env — safe to commit, safe for an agent to readNEXTAUTH_URL=http://localhost:3000DATABASE_URL=postgres://app:{hushenv.DB_PASSWORD}@localhost:5432/appRESEND_KEY={hushenv.RESEND_KEY}The real values are encrypted with AES-256-GCM in ~/.hushenv/vault.json. The master key lives in your operating system’s keychain — never in a file on disk. Plaintext exists in exactly one place: your application’s environment, in memory, while hushenv run is executing.
Why it exists
Section titled “Why it exists”You hand your repository to Cursor, Claude Code, or Copilot, and every file in the folder goes with it — .env included. A single prompt can surface whatever sits there in plaintext. hushenv removes the secrets from the file entirely, so there is nothing to surface.
Where to go next
Section titled “Where to go next”Start with Getting started to install and store your first secret, then read Core concepts to understand how references, the vault, and the keychain fit together.