Split secrets from MCP configs

[NatoBoram]

Describe the feature or problem you'd like to solve

Configs should receive secrets from a different file

Proposed solution

A file at ~/.copilot/.env could be used to store secrets separately from the configs.

Example prompts or workflows

This would allow open-sourcing one's dotfiles.

Example with Gemini CLI:

• https://github.com/NatoBoram/.dotfiles/blob/713c5bd0148f159f397efc5f2b19310759b5f9e1/.gemini/settings.json#L41-L48

Example with VSCode:

• https://github.com/NatoBoram/.dotfiles/blob/0862b0aa9618be349e62b66928bd1e6034a620b7/.config/Code%20-%20Insiders/User/mcp.json#L68-L73

Additional context

This is already supported by other programs. Here's some examples.

VSCode:

{
	"inputs": [
		{
			"description": "Tavily API Key",
			"id": "tavily_api_key",
			"password": true,
			"type": "promptString"
		}
	],
	"servers": {
		"tavily": {
			"args": ["tavily-mcp@latest"],
			"command": "bunx",
			"env": { "TAVILY_API_KEY": "${input:tavily_api_key}" },
			"type": "stdio"
		}
	}
}

And in Gemini CLI:

{
	"mcpServers": {
		"tavily": {
			"args": ["tavily-mcp@latest"],
			"command": "bunx",
			"env": { "TAVILY_API_KEY": "$TAVILY_API_KEY" },
			"trust": true
		}
	}
}

[examon]

This appears to already be possible using existing MCP config support for $VAR and ${VAR} expansion from the shell environment. For example, setting "TAVILY_API_KEY": "$TAVILY_API_KEY" in your MCP server's env field reads from the environment at runtime, so you can keep secrets out of the committed config. Copilot CLI does not currently provide a dedicated ~/.copilot/.env secrets file, but the underlying goal is achievable today with environment variables. If that still doesn't meet your needs, please feel free to reopen this issue.