Pre-submit Checks
Describe the solution you'd like?
When working in regulated or security-sensitive environments (FedRAMP, CMMC, DoD IL4/IL5), developers and security engineers frequently need to inject secrets into their shell session. The current workflow requires exporting secrets as environment variables directly in the terminal:
export AWS_SECRET_ACCESS_KEY=EXAMPLE
This exposes secrets in shell history, Warp's scrollback buffer, and any session logs. In compliance-controlled environments this is a policy violation and a real audit finding. Warp's agent-first model makes this worse — agents executing commands on the user's behalf increase the surface area for
unintended secret exposure.
Proposed solution: A warp vault inject command that fetches a secret from a secrets manager and injects it as an environment variable in memory only - never written to scrollback, history, or logs.
warp vault inject aws/prod/api-key --as API_KEY
Scrollback redaction: if a secret value appears in terminal output anyway, Warp masks it with [REDACTED].
Scope for v1:
- AWS Secrets Manager support
- In-memory injection only — no shell history writes
- Scrollback redaction for known secret values
- Config file for mapping vault paths to env var names
Future providers: HashiCorp Vault, 1Password, Azure Key Vault
Prior art:
- direnv — no secrets manager integration, no redaction
- chamber — external to the terminal, no scrollback protection
- 1Password CLI (op run) — closest analog, but not terminal-native
Is your feature request related to a problem? Please describe.
No response
Additional context
No response
Operating system (OS)
Select an OS
How important is this feature to you?
1 (Not too important)
Warp Internal (ignore) - linear-label:39cc6478-1249-4ee7-950b-c428edfeecd1
None
Pre-submit Checks
Describe the solution you'd like?
When working in regulated or security-sensitive environments (FedRAMP, CMMC, DoD IL4/IL5), developers and security engineers frequently need to inject secrets into their shell session. The current workflow requires exporting secrets as environment variables directly in the terminal:
export AWS_SECRET_ACCESS_KEY=EXAMPLE
This exposes secrets in shell history, Warp's scrollback buffer, and any session logs. In compliance-controlled environments this is a policy violation and a real audit finding. Warp's agent-first model makes this worse — agents executing commands on the user's behalf increase the surface area for
unintended secret exposure.
Proposed solution: A warp vault inject command that fetches a secret from a secrets manager and injects it as an environment variable in memory only - never written to scrollback, history, or logs.
warp vault inject aws/prod/api-key --as API_KEY
Scrollback redaction: if a secret value appears in terminal output anyway, Warp masks it with [REDACTED].
Scope for v1:
Future providers: HashiCorp Vault, 1Password, Azure Key Vault
Prior art:
Is your feature request related to a problem? Please describe.
No response
Additional context
No response
Operating system (OS)
Select an OS
How important is this feature to you?
1 (Not too important)
Warp Internal (ignore) - linear-label:39cc6478-1249-4ee7-950b-c428edfeecd1
None