Jenkins CI has a clever feature where every password it injects will be redacted if printed to stdout; `enveil run` could do that with the wrapped process?

Of course that's only a defense against accidents. Nothing prevents encoding base64 or piping to disk.

Not the author but No, the decryption would ask the secret again? The readme mentions it's wiped from memory after use.