AI Tools
Your .env.schema gives AI agents full context on your configuration (variable names, types, validation rules, descriptions), while your secret values never leave your machine or touch AI servers.
This solves two problems with AI-assisted development:
- Secret exposure: AI tools read your project files, including
.envfiles. With varlock, secrets are never stored in plain text. They’re fetched at runtime from secure providers. - AI-generated leaks: AI agents may hardcode secrets or log sensitive values in generated code.
varlock scancatches these leaks before they’re committed, and runtime protection redacts secrets from logs and responses.
Securely inject secrets into AI CLI tools
Section titled “Securely inject secrets into AI CLI tools”Many AI coding assistants offer CLI tools that require API keys and other secrets. Instead of storing these secrets in plain text .env or .json files or exposing them in your shell history, use varlock to inject them securely at runtime. This applies both to config that might be required to bootstrap the tool itself, as well as things like MCP servers that require API keys.
1. Install varlock
Section titled “1. Install varlock”If you haven’t already, install varlock on your system.
2. Create an environment schema
Section titled “2. Create an environment schema”Define your API keys and secrets in your .env.schema file. Mark sensitive values appropriately:
# @plugin(@varlock/1password-plugin)# @initOp(allowAppAuth=true)# ---# @sensitive @requiredOPENAI_API_KEY=op(op://api-local/openai/api-key)
# @sensitive @requiredANTHROPIC_API_KEY=op(op://api-local/anthropic/api-key)
# @sensitive @requiredGOOGLE_API_KEY=op(op://api-local/google/api-key)Store the actual secret values in your preferred secret provider. The examples above use the 1Password plugin’s op() resolver, but any provider plugin works the same way (AWS Secrets Manager, and more). If you’d rather not depend on an external provider, keep encrypted values in a gitignored .env.local using device-local encryption. See also the Secrets guide.
3. Run your tool via varlock run
Section titled “3. Run your tool via varlock run”Execute your AI CLI tool through varlock to securely inject environment variables:
varlock run -- <your-cli-command>See AI CLI tool examples below for tool-specific setup.
AI CLI tool examples
Section titled “AI CLI tool examples”Popular AI coding CLIs differ in which env vars they need and how they authenticate. Varlock supports two patterns:
- Project setup: define secrets in the repo’s
.env.schema(steps 1-2 above) and runvarlock run -- <tool>from the project directory. - Personal setup: keep a schema in your home directory (for example
~/.env.claude) and pass it with-pwhen launching a tool from any directory (usually using an alias).
Varlock does not auto-load a global schema (that would make two developers’ machines behave differently for the same repo).
Claude Code is Anthropic’s CLI tool for AI-assisted coding.
Environment variable: ANTHROPIC_API_KEY. See supported env variables.
In a project, add to .env.schema:
# @sensitive @requiredANTHROPIC_API_KEY=op(op://api-local/anthropic/api-key)varlock run -- claudeFrom any directory, personal schema at ~/.env.claude:
# @sensitive @requiredANTHROPIC_API_KEY=op(op://api-local/anthropic/api-key)varlock run -p ~/.env.claude -- claudeShell alias (optional):
alias vclaude='varlock run -p ~/.env.claude --no-redact-stdout -- claude'--no-redact-stdout keeps Claude’s own terminal output unredacted while secrets stay out of your shell history.
Opencode is a provider-agnostic AI coding assistant that works in your terminal.
Environment variables:
ANTHROPIC_API_KEYfor Claude modelsOPENAI_API_KEYfor OpenAI modelsOPENCODE_CONFIGpath to custom config file (optional)
Auth configuration: run opencode auth login once. When prompted for an API key, paste an env reference instead:
{"env:ANTHROPIC_API_KEY"}
Your config file (~/.local/share/opencode/auth.json) should look like:
{ "anthropic": { "type": "api", "key": "{env:ANTHROPIC_API_KEY}" }}In a project, add to .env.schema:
# @sensitive @requiredANTHROPIC_API_KEY=op(op://api-local/anthropic/api-key)
# @sensitiveOPENAI_API_KEY=op(op://api-local/openai/api-key)varlock run -- opencode
# or with a specific modelvarlock run -- opencode --model claude-3-5-sonnetFrom any directory, personal schema at ~/.env.opencode:
# @sensitive @requiredANTHROPIC_API_KEY=op(op://api-local/anthropic/api-key)
# @sensitiveOPENAI_API_KEY=op(op://api-local/openai/api-key)varlock run -p ~/.env.opencode -- opencode
# or with a specific modelvarlock run -p ~/.env.opencode -- opencode --model claude-3-5-sonnetShell alias (optional):
alias vopencode='varlock run -p ~/.env.opencode --no-redact-stdout -- opencode'See the Opencode docs for more information.
Antigravity CLI is Google’s agent-first terminal experience, the successor to Gemini CLI, which has been phased out.
Launch command: agy
Authentication: Antigravity signs in via Google OAuth on first launch (credentials live in your system keyring).
varlock run -- agyFrom any directory, personal schema at ~/.env.antigravity for project-agnostic defaults:
# @type=enum(development, staging, production)APP_ENV=developmentvarlock run -p ~/.env.antigravity -- agyShell alias (optional):
alias vagy='varlock run -p ~/.env.antigravity --no-redact-stdout -- agy'See the Antigravity CLI getting started guide and installation & auth docs for OAuth, enterprise, and headless setup.
Install the Varlock skill
Section titled “Install the Varlock skill”Give your AI agent project-scoped instructions for working with Varlock: security rules, schema checklists, and CLI guidance. Install using one of:
Install with the skills CLI (recommended):
npx skills add dmno-dev/varlockThe CLI detects your installed agents and installs to the correct skills directory (Cursor, Claude Code, Codex, Copilot, OpenCode, and 50+ others).
Target a specific agent with -a:
npx skills add dmno-dev/varlock -a cursor -a claude-code -yUpdate later with:
npx skills update varlockInstall with gh skill (requires GitHub CLI v2.90+):
gh skill install dmno-dev/varlock varlockTarget a specific agent and scope:
gh skill install dmno-dev/varlock varlock --agent cursor --scope projectUpdate later with:
gh skill update varlockAgent mode
Section titled “Agent mode”Varlock provides a non-interactive --agent flag for init and load, designed for AI coding assistants running commands on your behalf.
varlock init --agent
Section titled “varlock init --agent”Use this when an AI agent is setting up Varlock in a project:
varlock init --agentIn agent mode, init skips interactive confirmation prompts, uses deterministic defaults when multiple .env.example files are found, and prints schema review guidance for the agent to follow.
varlock load --agent
Section titled “varlock load --agent”Use this to validate resolved config without exposing secret values in logs or agent transcripts:
varlock load --agentAgent mode defaults to JSON output and redacts values marked @sensitive. It is not compatible with --format env or --format shell (which would expose raw values).
Drop the --agent flag when you need human-readable output to show the user directly.
Reading varlock output programmatically
Section titled “Reading varlock output programmatically”When an agent needs to consume varlock output rather than show it to a user, prefer machine-readable formats and branch on exit codes:
varlock load --agent: flat{ "KEY": value }JSON on stdout with@sensitivevalues redacted. Safe to keep in a transcript.varlock load --agent --format json-full: the full serialized graph (sources, per-item validation state, sensitivity) with sensitive values redacted, for when you need to reason about why something is invalid, not just the values. Always keep--agenthere: plain--format json-fullemits raw secret values and must not go into an agent transcript.- Exit codes:
varlock loadexits non-zero when config is invalid,varlock runforwards the child command’s exit code, andvarlock scanexits1when it finds a leaked secret. Check the code instead of parsing prose. - stdout vs stderr: pass
--summary-stderr(or--summary-file) so the redacted human summary goes to stderr while stdout stays clean JSON for parsing.
See the CLI commands reference for the full output-format and exit-code details.
Allowing schema files for AI tools
Section titled “Allowing schema files for AI tools”Most AI tools ignore .env.* files by default. To ensure your AI tool can access your environment schema, add the following to your .gitignore:
!.env.schemaIf you use a tool with its own ignore file, check that tool’s documentation to see how it handles ignore files and make sure .env.schema is allowed.
Custom instructions and rules
Section titled “Custom instructions and rules”The Varlock agent skill is the recommended way to give agents structured guidance for schema work and CLI usage.
You can also provide broader context with the full Varlock llms.txt. In Cursor, this is accomplished via ‘Add New Custom Docs’.
If your tool supports custom rules, you can use our own varlock Cursor rule file from this repo as a starting point to create your own that is most suited to your workflow.
Scan for leaked secrets
Section titled “Scan for leaked secrets”AI agents can sometimes hardcode secret values or leak them into generated code. Use varlock scan to detect leaked secrets in your codebase:
# Scan the current directory for leaked secret valuesvarlock scan
# Scan specific pathsvarlock scan ./src ./configYou can also set up varlock scan as a git pre-commit hook to automatically catch leaks before they’re committed:
# Add to your .git/hooks/pre-commit or use a hook manager like husky/lefthookvarlock scan --stagedThis is especially useful when working with AI coding tools. The scan command compares your resolved secret values against your codebase to find any that may have been accidentally included in plain text.
Varlock Docs MCP
Section titled “Varlock Docs MCP”We also have a docs MCP server that allows you to search the Varlock docs. See more details here.