I built a tool to stop AI coding agents from leaking my secrets
Veil is a tool designed to protect sensitive API keys from being accessed by AI coding agents. It moves Bearer API keys from .env files into the operating system's keychain while leaving placeholders behind for the agents to use. This ensures that the agents do not see the actual credentials, filling a gap that previous tools like .gitignore did not address.
- ▪Veil scans .env files and transfers Bearer secrets to the OS keychain, replacing them with placeholders.
- ▪The tool operates through a local HTTPS proxy, allowing agents to function without accessing real credentials.
- ▪Veil is not a replacement for secrets managers but complements them by hiding secrets from AI agents.
Opening excerpt (first ~120 words) tap to expand
.gitignore protected your secrets from git. Veil protects them from AI. Veil moves the Bearer API keys in your .env into your OS keychain, leaves format-preserving placeholders behind, and injects the real values at a local HTTPS proxy so the agent never sees them. One promise, one wire, no daemon. What's in scope. v1 mediates HTTP Authorization: Bearer credentials for the providers listed below, sourced from .env files. HTTP Basic, keyed-crypto schemes (AWS SigV4, GitHub App JWTs, HMAC webhooks), shell environment variables, MCP config files, and non-HTTP protocols are not in scope — Veil leaves them alone. See docs/MVP.md for the full contract. Demo Want to run it yourself? make build && ./scripts/record-demo.sh records this end-to-end against a synthetic .env.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.