| name | envault |
| description | Official AI Agent Skill for Envault Secrets Management platform. Enforces strict zero-hardcode rules, Client-Side Encryption, and Human-in-the-Loop (HITL) approval workflows. |
Envault Agent Skill
This skill provides critical instructions for interacting with the Envault Secrets Management platform. Envault uses strict Client-Side Encryption and Human-in-the-Loop (HITL) approvals. As an AI agent, you must strictly adhere to the following rules when working with Envault.
1. THE ZERO-HARDCODE RULE (envault run)
Envault injects secrets directly into process memory.
- You must NEVER create, modify, or suggest creating
.env files.
- When writing scripts or running tests that require environment variables, you must execute them using the runtime wrapper:
envault run --env <environment> -- <command>
2. THE HITL NAVIGATOR (Handling Mutations)
Envault's MCP server uses a delegated token model with active Human-in-the-Loop (HITL) safeguards.
- When you attempt to mutate a secret (e.g., using
envault_push or envault_deploy), the server intercepts the request and returns a 202 Accepted response. This response includes an approval_id and an approval_url.
- A
202 Accepted is NOT a failure.
- You must immediately stop execution, present the approval link to the user, and wait for the user to approve it via the UI or by typing
envault approve <approval_id> in the terminal.
- You must not retry the mutation automatically.
3. GIT COMPLIANCE
Envault has active safeguards regarding git tracking.
- If an
envault pull or envault deploy command fails because a file is already tracked in git, you must not try to force the operation.
- Instead, you must:
- Execute
git rm --cached <file> to untrack the file.
- Ensure the file is added to
.gitignore.
- Retry the Envault command.