EnvArmor: AI-Aware Env Secrets Security Platform

Ali Mahmood Rana — Fri, 05 Jun 2026 20:15:47 +0000

This is a submission for the GitHub Finish-Up-A-Thon Challenge

GitHub Repo: github.com/AliRana30/EnvArmor
npm Package: npmjs.com/package/envarmor-cli
Live Demo: env-armor.vercel.app

What I Built

Most developers have a secret-leaking story. Mine happened during a late-night push — a .env file slipped past .gitignore, and I caught it only after the commit was already on GitHub. No real damage that time, but the near-miss stuck with me.

The bigger realization came later: with AI coding tools like Cursor and Copilot ingesting entire project directories automatically, the leak surface expanded beyond public repos. A single unignored secret could quietly travel to a third-party AI provider during a normal development session. Nobody talks about that enough.

That's what EnvArmor is built to stop.

It ships as two things: a CLI scanner that hooks into git commit and blocks the push before secrets leave your machine, and a web dashboard where you can track scan history, review financial risk projections tied to real service abuse costs, and manage encrypted variables — without emailing .env files over Slack.

Tech Stack

Web Dashboard

Framework: Next.js 15 (App Router)
Database: Prisma ORM + Supabase PostgreSQL
Auth: Supabase (Magic Links + GitHub OAuth)
Styling: Vanilla CSS + custom Tailwind (Neo-Brutalist, high-contrast UI)

CLI

Runtime: TypeScript + Node.js
Commands: Commander.js, Chalk
Detection Engine: Regex pattern signatures + Shannon Entropy analysis
Vault: Local AES-256 encryption before cloud sync

Core Features

Financial Risk Estimation: When EnvArmor detects a Stripe key, an AWS credential, or an OpenAI token, it doesn't just flag it — it maps it to a real abuse cost range (e.g., $200–$5,000). You see the actual dollar exposure, not just a severity label.
AI Context Guard: Scans your project and auto-generates context exclusion rules to keep secrets out of Cursor, Copilot, and Claude's context windows during active development.
Zero Plan Limits: Every account supports unlimited project creation. Useful if you're juggling multiple microservices or monorepos and don't want to hit an arbitrary cap.
Local-to-Cloud Linking: A .envarmor config file or --project CLI flag binds your terminal session directly to the right dashboard project. No manual syncing.
Encrypted Vault: Variables encrypt on your machine before hitting the cloud. Nothing travels in plaintext.

Demo (Screenshots)

Web Application

Home
An interactive landing page covering EnvArmor's core features, live detection statistics, and links to the docs and dashboard.

Dashboard
The main control panel — real-time scan analytics, secret severity breakdown, active projects, and estimated financial savings from blocked events.

Projects
All linked repositories in one view, with individual scan results, API key status, and active security rules per project.

New Project
A setup wizard to register repository metadata, define project scope, and configure environment policies.

Scan History
A searchable, chronological log of every scan — filenames, severity, leak status, and recommended fixes included.

Vault (Launching as a paid feature)
Encrypted secret storage with rotation schedules and credential access logs.

Settings
Profile details, notification triggers, organization scope, and API token management.

Login / Signup
Magic link or GitHub OAuth. Fast, clean, no friction.

Blog
Security advisories, vulnerability write-ups, and environment configuration best practices.

Realtime User Stats
A live summary card — total secrets detected, financial risk prevented, and onboarding timestamps per user.

CLI Tool

Initialization
npx envarmor init creates the local config, .envarmorignore, and wires up the pre-commit hook.

Login
envarmor login --key <api_key> links your terminal directly to your web profile.

Full Codebase Scan
envarmor scan -all sweeps every project folder for hardcoded secrets, database connection strings, and live API tokens.

AI Tool Protection
Detects and blocks AI agents from reading environment keys during active coding sessions.

Commit Blocking
The pre-commit hook intercepts every git commit, scans the staged diff, and rejects it if any secrets are present.

The Comeback Story

Where the Project Was

Six months ago, EnvArmor was a desktop-only prototype held together with duct tape and good intentions. The core scanner worked. Everything else was broken in ways that weren't obvious until you tried to actually use it.

Split Identity

The codebase lived under two names — the old EnvGuard and the new EnvArmor — simultaneously. Conflicting namespaces, broken directory references, mismatched Prisma schemas, and compilation errors that only appeared at link time. Rebranding sounds simple until half your imports point to the wrong package.

Fake Metrics on the Dashboard

The dashboard showed EST. $0K+ Savings Created across every account. Hardcoded. Static. Not connected to the database at all. The number looked good in a screenshot and meant nothing.

Hard Caps That Broke Real Workflows

The database had hard check constraints that blocked non-premium users from creating more than a few projects. Fine for a single app. Useless for anyone managing microservices or a multi-repo workspace.

Auth That Crashed Silently

No email validation before sending magic links. Supabase's 429 rate limit error surfaced as a raw network crash — no message, no retry guidance, just a broken page. New signups regularly hit this and bounced.

Mobile Was Unusable

Long file paths in the scan tables had no wrapping rules. They pushed severity badges and action buttons completely off-screen. The dashboard was desktop-only in practice, even though it wasn't designed that way.

CTAs That Led Nowhere

Primary call-to-action buttons pointed to # anchors. Clicking "Get Started" on the landing page did nothing. There was also no onboarding guide — new users arrived with no path forward.

Risk Math That Disagreed With Itself

Financial estimates were calculated independently in the dashboard summary, the project detail view, and the activity feed. All three used different logic. All three showed different numbers for the same data.

Where It Is Now

Unified Codebase and Published CLI

Every reference to EnvGuard is gone. Directory names, database schemas, npm package name, component imports, metadata — all standardized under EnvArmor. Version 0.1.1 of envarmor-cli is live on npm and installable with npx envarmor init.

A Savings Engine That Reads Real Data

lib/savings-engine.ts pulls live ScanEvent records from the database and calculates financial exposure using severity-based multipliers. Pre-commit blocked events apply a 10x multiplier automatically — because stopping a secret before it commits is worth more than catching it after. The dashboard now shows numbers that mean something.

No More Project Caps

Hard database constraints replaced with dynamic limits tied to account metadata. Every tier supports unlimited project creation. Building five microservices in parallel no longer requires an upgrade.

Auth That Handles Failure Gracefully

/api/v1/auth/check-email validates registration before any OTP is sent. Supabase 429 errors now return a clear cooldown message with retry timing instead of crashing the page. A developer bypass workflow handles local testing without triggering rate limits.

Mobile That Actually Works

Dashboard grids rebuilt with responsive flex and grid utilities. File paths in scan tables use break-all. Severity badges and action buttons stay on screen at any viewport width. Tested across mobile, tablet, and desktop.

Docs Inside the Dashboard

An interactive CLI Docs page now lives inside the dashboard — installation steps, config options, flag overrides, vault operations. No hunting through a separate README.

One Source of Truth for Risk Math

All financial and risk calculations route through the Savings Engine. Every dashboard surface — summary cards, activity feeds, project detail views, analytics — reads from the same function with the same logic. The numbers agree now.

What Changed, Fixed, or Got Added

Unified Brand Architecture: Every folder, schema, model, component, and npm reference now points to EnvArmor. The EnvGuard era is gone.
Live Savings Engine: lib/savings-engine.ts queries real ScanEvent logs, applies severity tiers, and adds the 10x multiplier for pre-commit blocks. Dashboard projections are now live, not hardcoded.
Auth Preflight Route: /api/v1/auth/check-email runs before OTP delivery. Supabase 429s surface as friendly cooldown messages, not crashes.
Limitless Projects: Hard caps removed. Unlimited creation across all account tiers.
Responsive Layouts: break-all on file paths, fluid grid rebuilds on dashboard panels, tested across viewports.
CLI Docs Hub: Built inside the dashboard — covers init, login, scan flags, vault commands, and project linking.
Consistent Audit Logs: estimateSavings utility now powers both recent activity logs and project detail views. No more discrepancies.
Production .gitignore: Filters .envarmor local configs, .venv/, temp scan reports, and build artifacts.

My Experience with GitHub Copilot

I used Copilot throughout this sprint, and the moments where it actually saved time were specific enough to be worth calling out.

Savings Engine Completion

When I wrote the estimateSavings function signature with its severity parameter and return type, Copilot completed the entire multiplier table — CRITICAL: 10x, HIGH: 5x, MEDIUM: 2x, LOW: 1x — in a single suggestion. I adjusted the thresholds, but the structure was right on the first completion. That function is now the single source of truth for every financial figure in the dashboard.

Preflight Route Scaffolding

For the /api/v1/auth/check-email route, Copilot inlined the Supabase admin client lookup, the 429 detection branch, and the JSON error shape in one pass. I only had to wire in the cooldown timer logic and adjust the response messages. A route that would have taken 30 minutes of back-and-forth with docs took about 10.

Shannon Entropy Test Cases

Writing unit tests for the entropy-based secret detector is tedious — you need strings that hover right at the boundary between high-entropy random values and normal code. Copilot generated a solid set of boundary cases I hadn't thought to include: UUID-adjacent strings, base64 padding edge cases, and short tokens that look like secrets but aren't. Several of those cases caught real false positives in the scanner.

Responsive Grid Fixes

When I was patching the mobile overflow issues, I described the problem in a comment — "file paths in scan table overflow on mobile, need break-all with flex wrap on action column" — and Copilot suggested the full Tailwind class combination, including the min-w-0 fix on the flex child that actually solved the overflow. That one I wouldn't have found without digging through docs.

Final Outcome

EnvArmor went from a prototype that worked in one narrow scenario to a platform you can actually ship a project with.

It now delivers:

Pre-commit secret blocking with Shannon Entropy + Regex detection
Live financial risk projections tied to real scan data
AI context window protection for Cursor, Copilot, and Claude
Responsive dashboard across mobile, tablet, and desktop
Reliable auth with rate-limit protection and email validation
Unlimited project creation across all account tiers
Published CLI (envarmor-cli on npm)
Consistent risk math across every dashboard surface

The secret-leaking story I mentioned at the start? EnvArmor would have caught it at the pre-commit hook — before the push, before the panic, before the late-night token rotation. That's the version worth shipping.

DEV Community: Ali Mahmood Rana