[hjkl_hacker]

This doesn’t really fix that it can echo the secrets and read the logs. `enveil run — printenv`

[Datagenerator]

Not the author but No, the decryption would ask the secret again? The readme mentions it's wiped from memory after use.

[darthwalsh]

Jenkins CI has a clever feature where every password it injects will be redacted if printed to stdout; `enveil run` could do that with the wrapped process?

Of course that's only a defense against accidents. Nothing prevents encoding base64 or piping to disk.