agent-env
Universal secret injection for AI coding agents.
One command. Every agent. Secrets stay out of your shell history.
curl -fsSL https://raw.githubusercontent.com/jordanburke/agent-env/main/install.sh | bash agent-env run claude The problem with secrets today
AI agents need API keys. Current approaches all have trade-offs.
~/.bashrc Export in .bashrc Leaks to every process, clutters your shell
$ KEY=... Prefix every command API keys in shell history, tedious
.envrc Use direnv Not designed for secrets, no encryption
N configs Configure each agent Different config per tool, fragmented
agent-env — one secrets file, automatic discovery, optional encryption. Works with every agent.
How it works
Four steps, zero config, one bash script.
Discover
Walks from PWD up to git root, then global fallbacks. Finds .sops.env or .env automatically.
# auto-discovers .env or .sops.env Detect
Auto-detects format: grep "^sops:" header means SOPS, otherwise dotenv. No config needed.
# grep -q "^sops:" → SOPS mode Load
SOPS files decrypted via sops exec-env. Dotenv files sourced with set -a. Secrets in memory only.
# secrets loaded into env vars Exec
Process replacement via exec. agent-env ceases to exist. Only your agent remains.
# exec claude "$@" Works with every agent
If it runs as a CLI, agent-env supports it.
agent-env run claude agent-env run codex agent-env run aider agent-env run goose agent-env run cline agent-env run continue agent-env run cursor agent-env run windsurf
agent-env run <any-command>
Get started
Two ways to install. Takes seconds.
One-line install
curl -fsSL https://raw.githubusercontent.com/jordanburke/agent-env/main/install.sh | bashClone and install
git clone https://github.com/jordanburke/agent-env.git
cd agent-env && ./install.shQuick start
agent-env init — create .env in your project .env agent-env run claude — done
Want encryption? Use agent-env init --sops for SOPS + age encrypted secrets
that are safe to commit to git.