diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c203a381..ef5ae093e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * **aws:** expand CLI filters from 8 to 25 subcommands — CloudWatch Logs, CloudFormation events, Lambda, IAM, DynamoDB (with type unwrapping), ECS tasks, EC2 security groups, S3API objects, S3 sync/cp, EKS, SQS, Secrets Manager ([#885](https://github.com/rtk-ai/rtk/pull/885))
 * **aws:** add shared runner `run_aws_filtered()` eliminating per-handler boilerplate
 * **tee:** add `force_tee_hint()` — truncated output saves full data to file with recovery hint
+* **direnv:** add `rtk direnv` with `direnv exec` rewrite support and built-in TOML guards for env dumps and auth token reads
 
 ## [0.34.1](https://github.com/rtk-ai/rtk/compare/v0.34.0...v0.34.1) (2026-03-28)
 
diff --git a/README.md b/README.md
index e9663830d..2dc6213a3 100644
--- a/README.md
+++ b/README.md
@@ -113,6 +113,8 @@ git status  # Automatically rewritten to rtk git status
 
 The hook transparently rewrites Bash commands (e.g., `git status` -> `rtk git status`) before execution. Claude never sees the rewrite, it just gets compressed output.
 
+This also applies to literal `direnv exec ...` commands: RTK rewrites only `direnv exec` to `rtk direnv ...`, while leaving `direnv allow`, `direnv status`, and other subcommands untouched.
+
 **Important:** the hook only runs on Bash tool calls. Claude Code built-in tools like `Read`, `Grep`, and `Glob` do not pass through the Bash hook, so they are not auto-rewritten. To get RTK's compact output for those workflows, use shell commands (`cat`/`head`/`tail`, `rg`/`grep`, `find`) or call `rtk read`, `rtk grep`, or `rtk find` directly.
 
 ## How It Works
@@ -165,6 +167,14 @@ rtk gh issue list               # Compact issue listing
 rtk gh run list                 # Workflow run status
 ```
 
+### Environment & direnv
+```bash
+rtk env -f AWS                  # Filtered env vars
+rtk direnv exec . env           # Redact KEY=*** under direnv exec
+rtk direnv exec . gh auth token # Redact token output to ***
+rtk direnv exec . pnpm install  # Passthrough when no direnv guard filter matches
+```
+
 ### Test Runners
 ```bash
 rtk test cargo test             # Show failures only (-90%)
diff --git a/src/cmds/system/README.md b/src/cmds/system/README.md
index ec3b327b3..a82c1e50c 100644
--- a/src/cmds/system/README.md
+++ b/src/cmds/system/README.md
@@ -8,7 +8,9 @@
 - `grep_cmd.rs` reads `core/config` for `limits.grep_max_results` and `limits.grep_max_per_file`
 - `local_llm.rs` (`rtk smart`) uses `core/filter` for heuristic file summarization
 - `format_cmd.rs` is a cross-ecosystem dispatcher: auto-detects and routes to `prettier_cmd` or `ruff_cmd` (black is handled inline, not as a separate module)
+- `direnv_cmd.rs` handles `direnv exec` passthrough with shared TOML lookup and dual-stream (`stdout` + `stderr`) filtering for matched guard rules
 
 ## Cross-command
 
 - `format_cmd` routes to `cmds/js/prettier_cmd` and `cmds/python/ruff_cmd`
+- `direnv_cmd` uses `core/toml_filter` for standard project/user/built-in precedence while keeping `direnv` as a first-class Rust command
diff --git a/src/cmds/system/direnv_cmd.rs b/src/cmds/system/direnv_cmd.rs
new file mode 100644
index 000000000..c11f39a0c
--- /dev/null
+++ b/src/cmds/system/direnv_cmd.rs
@@ -0,0 +1,116 @@
+//! Filters `direnv exec` output using the shared TOML registry.
+
+use crate::core::runner;
+use crate::core::toml_filter;
+use crate::core::tracking;
+use crate::core::utils::{exit_code_from_output, resolved_command};
+use anyhow::{bail, Context, Result};
+use std::ffi::{OsStr, OsString};
+use std::io::{self, Write};
+use std::process::Stdio;
+
+pub fn run(args: &[OsString], verbose: u8) -> Result<i32> {
+    if args.is_empty() {
+        bail!("direnv: no arguments specified");
+    }
+
+    let toml_disabled = std::env::var("RTK_NO_TOML").ok().as_deref() == Some("1");
+    if toml_disabled || !matches!(args.first().and_then(|arg| arg.to_str()), Some("exec")) {
+        return runner::run_passthrough("direnv", args, verbose);
+    }
+
+    let args_str = tracking::args_display(args);
+    let original_cmd = format!("direnv {}", args_str);
+    let rtk_cmd = format!("rtk direnv {}", args_str);
+
+    if verbose > 0 {
+        eprintln!("Running: {}", original_cmd);
+    }
+
+    let lookup_cmd = render_lookup_command(args);
+    let Some(filter) = toml_filter::find_matching_filter(&lookup_cmd) else {
+        return runner::run_passthrough("direnv", args, verbose);
+    };
+
+    let timer = tracking::TimedExecution::start();
+    let output = resolved_command("direnv")
+        .args(args)
+        .stdin(Stdio::inherit())
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .output()
+        .context("Failed to run direnv exec")?;
+
+    let stdout_raw = String::from_utf8_lossy(&output.stdout).into_owned();
+    let stderr_raw = String::from_utf8_lossy(&output.stderr).into_owned();
+    let filtered_stdout = toml_filter::apply_filter(filter, &stdout_raw);
+    let filtered_stderr = toml_filter::apply_filter(filter, &stderr_raw);
+
+    write_filtered(&mut io::stdout().lock(), &filtered_stdout, &stdout_raw)?;
+    write_filtered(&mut io::stderr().lock(), &filtered_stderr, &stderr_raw)?;
+
+    timer.track(
+        &original_cmd,
+        &rtk_cmd,
+        &format!("{}{}", stdout_raw, stderr_raw),
+        &format!("{}{}", filtered_stdout, filtered_stderr),
+    );
+
+    Ok(exit_code_from_output(&output, "direnv"))
+}
+
+fn render_lookup_command(args: &[OsString]) -> String {
+    let mut rendered = Vec::with_capacity(args.len() + 1);
+    rendered.push("direnv".to_string());
+    rendered.extend(args.iter().map(|arg| shell_quote(arg)));
+    rendered.join(" ")
+}
+
+fn shell_quote(arg: &OsStr) -> String {
+    let value = arg.to_string_lossy();
+    if value.is_empty() {
+        return "''".to_string();
+    }
+
+    if value
+        .chars()
+        .all(|ch| ch.is_ascii_alphanumeric() || matches!(ch, '_' | '-' | '.' | '/' | ':' | '='))
+    {
+        return value.into_owned();
+    }
+
+    format!("'{}'", value.replace('\'', "'\"'\"'"))
+}
+
+fn write_filtered<W: Write>(writer: &mut W, filtered: &str, raw: &str) -> io::Result<()> {
+    if filtered.is_empty() {
+        return Ok(());
+    }
+
+    writer.write_all(filtered.as_bytes())?;
+    if raw.ends_with('\n') && !filtered.ends_with('\n') {
+        writer.write_all(b"\n")?;
+    }
+    writer.flush()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn render_lookup_command_quotes_shell_fragments() {
+        let args = vec![
+            OsString::from("exec"),
+            OsString::from("."),
+            OsString::from("sh"),
+            OsString::from("-lc"),
+            OsString::from("printenv >&2"),
+        ];
+
+        assert_eq!(
+            render_lookup_command(&args),
+            "direnv exec . sh -lc 'printenv >&2'"
+        );
+    }
+}
diff --git a/src/core/README.md b/src/core/README.md
index 6c15314cc..ff21d00e4 100644
--- a/src/core/README.md
+++ b/src/core/README.md
@@ -31,6 +31,8 @@ Three-tier filter lookup (first match wins):
 2. `~/.config/rtk/filters.toml` (user-global)
 3. Built-in filters concatenated by `build.rs` at compile time
 
+Most TOML filters are consumed by the fallback path, but selected Rust commands can opt into the same registry directly when they need shared precedence plus custom execution behavior. `rtk direnv` uses this to apply TOML rules to both `stdout` and `stderr` for matched `direnv exec` commands.
+
 ## Tracking Database Schema
 
 ```sql
diff --git a/src/core/toml_filter.rs b/src/core/toml_filter.rs
index bd294f8af..24b9e2d23 100644
--- a/src/core/toml_filter.rs
+++ b/src/core/toml_filter.rs
@@ -253,8 +253,9 @@ impl TomlFilterRegistry {
 }
 
 /// Commands already handled by dedicated Rust modules (routed by Clap before TOML).
-/// A TOML filter whose match_command matches one of these will never activate —
-/// Clap routes the command before `run_fallback()` is reached.
+/// Most TOML filters matching one of these will never activate through
+/// `run_fallback()`. Commands that opt into shared TOML lookup from their Rust
+/// module are skipped by the shadow warning below.
 const RUST_HANDLED_COMMANDS: &[&str] = &[
     "ls",
     "tree",
@@ -270,6 +271,7 @@ const RUST_HANDLED_COMMANDS: &[&str] = &[
     "json",
     "deps",
     "env",
+    "direnv",
     "find",
     "diff",
     "log",
@@ -316,9 +318,13 @@ fn compile_filter(name: String, def: TomlFilterDef) -> Result<CompiledFilter, St
     let match_regex = Regex::new(&def.match_command)
         .map_err(|e| format!("invalid match_command regex: {}", e))?;
 
-    // Shadow warning: if match_command matches a Rust-handled command, this filter
-    // will never activate (Clap routes before run_fallback). Warn the author.
+    // Shadow warning: if match_command matches a Rust-handled command that does
+    // not opt into shared TOML lookup, this filter will never activate
+    // (Clap routes before run_fallback). Warn the author.
     for cmd in RUST_HANDLED_COMMANDS {
+        if *cmd == "direnv" {
+            continue;
+        }
         if match_regex.is_match(cmd) {
             eprintln!(
                 "[rtk] warning: filter '{}' match_command matches '{}' which is already \
@@ -1563,6 +1569,10 @@ match_command = "^make\\b"
             "brew-install",
             "composer-install",
             "df",
+            "direnv-01-env-dump",
+            "direnv-02-shell-env-dump",
+            "direnv-03-gh-auth-token",
+            "direnv-04-node-auth-token",
             "dotnet-build",
             "du",
             "fail2ban-client",
@@ -1613,13 +1623,58 @@ match_command = "^make\\b"
         let filters = make_filters(BUILTIN_TOML);
         assert_eq!(
             filters.len(),
-            58,
-            "Expected exactly 58 built-in filters, got {}. \
+            62,
+            "Expected exactly 62 built-in filters, got {}. \
              Update this count when adding/removing filters in src/filters/.",
             filters.len()
         );
     }
 
+    #[test]
+    fn test_builtin_direnv_filters_match_expected_commands() {
+        let filters = make_filters(BUILTIN_TOML);
+
+        assert_eq!(
+            find_filter_in("direnv exec . env", &filters).map(|f| f.name.as_str()),
+            Some("direnv-01-env-dump")
+        );
+        assert_eq!(
+            find_filter_in("direnv exec . printenv", &filters).map(|f| f.name.as_str()),
+            Some("direnv-01-env-dump")
+        );
+        assert_eq!(
+            find_filter_in("direnv exec . bash -lc 'printenv'", &filters).map(|f| f.name.as_str()),
+            Some("direnv-02-shell-env-dump")
+        );
+        assert_eq!(
+            find_filter_in("direnv exec . gh auth token", &filters).map(|f| f.name.as_str()),
+            Some("direnv-03-gh-auth-token")
+        );
+        assert_eq!(
+            find_filter_in("direnv exec . sh -lc 'gh auth token'", &filters)
+                .map(|f| f.name.as_str()),
+            Some("direnv-03-gh-auth-token")
+        );
+        assert_eq!(
+            find_filter_in(
+                "direnv exec . pnpm config get //registry.npmjs.org/:_authToken",
+                &filters
+            )
+            .map(|f| f.name.as_str()),
+            Some("direnv-04-node-auth-token")
+        );
+    }
+
+    #[test]
+    fn test_builtin_direnv_filters_skip_safe_commands() {
+        let filters = make_filters(BUILTIN_TOML);
+
+        assert!(find_filter_in("direnv exec . pnpm install", &filters).is_none());
+        assert!(find_filter_in("direnv exec . gh auth status", &filters).is_none());
+        assert!(find_filter_in("direnv exec . bash -lc 'envsubst < file'", &filters).is_none());
+        assert!(find_filter_in("direnv allow .", &filters).is_none());
+    }
+
     /// Verify that every built-in filter has at least one inline test.
     /// Prevents shipping filters with zero test coverage.
     #[test]
@@ -1669,13 +1724,16 @@ input = "output line 1\n\noutput line 2"
 expected = "output line 1\noutput line 2"
 "#;
         let combined = format!("{}\n\n{}", BUILTIN_TOML, new_filter);
+        let builtin_count = make_filters(BUILTIN_TOML).len();
         let filters = make_filters(&combined);
 
-        // All 58 existing filters still present + 1 new = 59
+        // All existing filters still present + 1 new filter.
         assert_eq!(
             filters.len(),
-            59,
-            "Expected 59 filters after concat (58 built-in + 1 new)"
+            builtin_count + 1,
+            "Expected {} filters after concat ({} built-in + 1 new)",
+            builtin_count + 1,
+            builtin_count
         );
 
         // New filter is discoverable
diff --git a/src/discover/registry.rs b/src/discover/registry.rs
index 7abf5da0f..d419bef82 100644
--- a/src/discover/registry.rs
+++ b/src/discover/registry.rs
@@ -723,6 +723,19 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_classify_direnv_exec() {
+        assert_eq!(
+            classify_command("direnv exec . env"),
+            Classification::Supported {
+                rtk_equivalent: "rtk direnv",
+                category: "Env",
+                estimated_savings_pct: 90.0,
+                status: RtkStatus::Existing,
+            }
+        );
+    }
+
     #[test]
     fn test_classify_cargo_check() {
         assert_eq!(
@@ -1542,6 +1555,27 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_rewrite_direnv_exec() {
+        assert_eq!(
+            rewrite_command("direnv exec . env", &[]),
+            Some("rtk direnv exec . env".into())
+        );
+    }
+
+    #[test]
+    fn test_rewrite_direnv_exec_pipe_first_only() {
+        assert_eq!(
+            rewrite_command("direnv exec . env | rg '^GITHUB_TOKEN='", &[]),
+            Some("rtk direnv exec . env | rg '^GITHUB_TOKEN='".into())
+        );
+    }
+
+    #[test]
+    fn test_rewrite_direnv_allow_skipped() {
+        assert_eq!(rewrite_command("direnv allow .", &[]), None);
+    }
+
     #[test]
     fn test_rewrite_cargo_install() {
         assert_eq!(
diff --git a/src/discover/rules.rs b/src/discover/rules.rs
index b315edd77..c53f7dc51 100644
--- a/src/discover/rules.rs
+++ b/src/discover/rules.rs
@@ -10,6 +10,79 @@ pub struct RtkRule {
     pub subcmd_status: &'static [(&'static str, RtkStatus)],
 }
 
+// Patterns ordered to match RULES indices exactly.
+pub const PATTERNS: &[&str] = &[
+    r"^git\s+(?:-[Cc]\s+\S+\s+)*(status|log|diff|show|add|commit|push|pull|branch|fetch|stash|worktree)",
+    r"^gh\s+(pr|issue|run|repo|api|release)",
+    r"^cargo\s+(build|test|clippy|check|fmt|install)",
+    r"^pnpm\s+(list|ls|outdated|install)",
+    r"^npm\s+(run|exec)",
+    r"^npx\s+",
+    r"^(cat|head|tail)\s+",
+    r"^(rg|grep)\s+",
+    r"^ls(\s|$)",
+    r"^find\s+",
+    r"^(npx\s+|pnpm\s+)?tsc(\s|$)",
+    r"^(npx\s+|pnpm\s+)?(eslint|biome|lint)(\s|$)",
+    r"^(npx\s+|pnpm\s+)?prettier",
+    r"^(npx\s+|pnpm\s+)?next\s+build",
+    r"^(pnpm\s+|npx\s+)?(vitest|jest|test)(\s|$)",
+    r"^(npx\s+|pnpm\s+)?playwright",
+    r"^(npx\s+|pnpm\s+)?prisma",
+    r"^docker\s+(ps|images|logs|run|exec|build|compose\s+(ps|logs|build))",
+    r"^kubectl\s+(get|logs|describe|apply)",
+    r"^tree(\s|$)",
+    r"^diff\s+",
+    r"^curl\s+",
+    r"^wget\s+",
+    r"^(python3?\s+-m\s+)?mypy(\s|$)",
+    // Python tooling
+    r"^ruff\s+(check|format)",
+    r"^(python\s+-m\s+)?pytest(\s|$)",
+    r"^(pip3?|uv\s+pip)\s+(list|outdated|install)",
+    // Go tooling
+    r"^go\s+(test|build|vet)",
+    r"^golangci-lint(\s|$)",
+    // AWS CLI
+    r"^aws\s+",
+    // PostgreSQL
+    r"^psql(\s|$)",
+    // direnv exec
+    r"^direnv\s+exec\b",
+    // TOML-filtered commands
+    r"^ansible-playbook\b",
+    r"^brew\s+(install|upgrade)\b",
+    r"^composer\s+(install|update|require)\b",
+    r"^df(\s|$)",
+    r"^dotnet\s+build\b",
+    r"^du\b",
+    r"^fail2ban-client\b",
+    r"^gcloud\b",
+    r"^hadolint\b",
+    r"^helm\b",
+    r"^iptables\b",
+    r"^make\b",
+    r"^markdownlint\b",
+    r"^mix\s+(compile|format)(\s|$)",
+    r"^mvn\s+(compile|package|clean|install)\b",
+    r"^ping\b",
+    r"^pio\s+run",
+    r"^poetry\s+(install|lock|update)\b",
+    r"^pre-commit\b",
+    r"^ps(\s|$)",
+    r"^quarto\s+render",
+    r"^rsync\b",
+    r"^shellcheck\b",
+    r"^shopify\s+theme\s+(push|pull)",
+    r"^sops\b",
+    r"^swift\s+build\b",
+    r"^systemctl\s+status\b",
+    r"^terraform\s+plan",
+    r"^tofu\s+(fmt|init|plan|validate)(\s|$)",
+    r"^trunk\s+build",
+    r"^uv\s+(sync|pip\s+install)\b",
+    r"^yamllint\b",
+];
 pub const RULES: &[RtkRule] = &[
     RtkRule {
         pattern: r"^git\s+(?:-[Cc]\s+\S+\s+)*(status|log|diff|show|add|commit|push|pull|branch|fetch|stash|worktree)",
@@ -359,6 +432,16 @@ pub const RULES: &[RtkRule] = &[
         subcmd_savings: &[],
         subcmd_status: &[],
     },
+    RtkRule {
+        pattern: r"^direnv\s+exec\b",
+        rtk_cmd: "rtk direnv",
+        rewrite_prefixes: &["direnv"],
+        category: "Env",
+        savings_pct: 90.0,
+        subcmd_savings: &[],
+        subcmd_status: &[],
+    },
+    // TOML-filtered commands
     RtkRule {
         pattern: r"^ansible-playbook\b",
         rtk_cmd: "rtk ansible-playbook",
diff --git a/src/filters/direnv-exec.toml b/src/filters/direnv-exec.toml
new file mode 100644
index 000000000..990a61056
--- /dev/null
+++ b/src/filters/direnv-exec.toml
@@ -0,0 +1,61 @@
+[filters.direnv-01-env-dump]
+description = "Redact env/printenv output under direnv exec"
+match_command = "^direnv\\s+exec\\s+(?:'[^']+'|\"[^\"]+\"|\\S+)\\s+(?:env|printenv)(?:\\s|$).*"
+strip_ansi = true
+replace = [
+  { pattern = "^([A-Za-z_][A-Za-z0-9_]*)=.*$", replacement = "$1=***" },
+]
+
+[[tests.direnv-01-env-dump]]
+name = "direct env dump is redacted"
+input = """
+GITHUB_TOKEN=ghp_secret
+NODE_AUTH_TOKEN=npm_secret
+OPENAI_API_KEY=sk-secret
+PATH=/usr/local/bin:/usr/bin
+"""
+expected = "GITHUB_TOKEN=***\nNODE_AUTH_TOKEN=***\nOPENAI_API_KEY=***\nPATH=***"
+
+[filters.direnv-02-shell-env-dump]
+description = "Redact bash/sh/zsh wrappers that run env inspection under direnv exec"
+match_command = "^direnv\\s+exec\\s+(?:'[^']+'|\"[^\"]+\"|\\S+)\\s+(?:bash|sh|zsh)\\s+-[A-Za-z]*c\\s+.*(?:printenv|declare\\s+-x|(?:^|[^A-Za-z0-9_])env(?:$|[^A-Za-z0-9_])).*"
+strip_ansi = true
+replace = [
+  { pattern = "^([A-Za-z_][A-Za-z0-9_]*)=.*$", replacement = "$1=***" },
+]
+
+[[tests.direnv-02-shell-env-dump]]
+name = "shell env dump preserves chatter and redacts values"
+input = """
+direnv: loading /repo/.envrc
+GITHUB_TOKEN=ghp_secret
+OPENAI_API_KEY=sk-secret
+"""
+expected = "direnv: loading /repo/.envrc\nGITHUB_TOKEN=***\nOPENAI_API_KEY=***"
+
+[filters.direnv-03-gh-auth-token]
+description = "Redact GitHub CLI token display under direnv exec"
+match_command = "^direnv\\s+exec\\s+(?:'[^']+'|\"[^\"]+\"|\\S+)\\s+(?:gh\\s+auth\\s+(?:token\\b|status\\b.*--show-token\\b).*|(?:bash|sh|zsh)\\s+-[A-Za-z]*c\\s+.*gh\\s+auth\\s+(?:token\\b|status\\b.*--show-token\\b).*)"
+strip_ansi = true
+replace = [
+  { pattern = "gh[pousr]_[A-Za-z0-9_]+", replacement = "***" },
+  { pattern = "github_pat_[A-Za-z0-9_]+", replacement = "***" },
+]
+
+[[tests.direnv-03-gh-auth-token]]
+name = "gh auth token is redacted"
+input = "ghp_abcdefghijklmnopqrstuvwxyz"
+expected = "***"
+
+[filters.direnv-04-node-auth-token]
+description = "Redact npm/pnpm auth-token reads under direnv exec"
+match_command = "^direnv\\s+exec\\s+(?:'[^']+'|\"[^\"]+\"|\\S+)\\s+(?:npm|pnpm)\\s+config\\s+get\\s+.*(?:_authToken|authToken|npmAuthToken).*"
+strip_ansi = true
+replace = [
+  { pattern = "^.+$", replacement = "***" },
+]
+
+[[tests.direnv-04-node-auth-token]]
+name = "npm auth token read is redacted"
+input = "npm_xxxxxxxxxxxxxxxxxxxx"
+expected = "***"
diff --git a/src/main.rs b/src/main.rs
index 77a4be8c3..048ef05a8 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -19,8 +19,8 @@ use cmds::python::{mypy_cmd, pip_cmd, pytest_cmd, ruff_cmd};
 use cmds::ruby::{rake_cmd, rspec_cmd, rubocop_cmd};
 use cmds::rust::{cargo_cmd, runner};
 use cmds::system::{
-    deps, env_cmd, find_cmd, format_cmd, grep_cmd, json_cmd, local_llm, log_cmd, ls, read, summary,
-    tree, wc_cmd,
+    deps, direnv_cmd, env_cmd, find_cmd, format_cmd, grep_cmd, json_cmd, local_llm, log_cmd, ls,
+    read, summary, tree, wc_cmd,
 };
 
 use anyhow::{Context, Result};
@@ -225,6 +225,13 @@ enum Commands {
         show_all: bool,
     },
 
+    /// direnv passthrough with TOML filtering for exec output
+    Direnv {
+        /// direnv arguments (for example: exec . env)
+        #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+        args: Vec<OsString>,
+    },
+
     /// Find files with compact tree output (accepts native find flags like -name, -type)
     Find {
         /// All find arguments (supports both RTK and native find syntax)
@@ -1462,6 +1469,8 @@ fn run_cli() -> Result<i32> {
             0
         }
 
+        Commands::Direnv { args } => direnv_cmd::run(&args, cli.verbose)?,
+
         Commands::Find { args } => {
             find_cmd::run_from_args(&args, cli.verbose)?;
             0
@@ -2101,6 +2110,7 @@ fn is_operational_command(cmd: &Commands) -> bool {
             | Commands::Json { .. }
             | Commands::Deps { .. }
             | Commands::Env { .. }
+            | Commands::Direnv { .. }
             | Commands::Find { .. }
             | Commands::Diff { .. }
             | Commands::Log { .. }
diff --git a/tests/direnv_support.rs b/tests/direnv_support.rs
new file mode 100644
index 000000000..108ec8dea
--- /dev/null
+++ b/tests/direnv_support.rs
@@ -0,0 +1,322 @@
+use std::env;
+use std::fs;
+use std::path::Path;
+use std::process::Command;
+
+#[cfg(unix)]
+fn fake_direnv_script(dir: &Path) {
+    use std::os::unix::fs::PermissionsExt;
+
+    let path = dir.join("direnv");
+    let script = r#"#!/bin/sh
+if [ "$1" = "exec" ]; then
+  shift
+  DIR="$1"
+  shift
+  echo "direnv: loading ${DIR}/.envrc" >&2
+  exec "$@"
+fi
+printf 'real direnv passthrough %s\n' "$*"
+"#;
+    fs::write(&path, script).expect("write fake direnv");
+    let mut perms = fs::metadata(&path).expect("metadata").permissions();
+    perms.set_mode(0o755);
+    fs::set_permissions(&path, perms).expect("chmod");
+}
+
+#[cfg(unix)]
+fn test_path(dir: &Path) -> std::ffi::OsString {
+    test_path_with_prefixes(&[dir])
+}
+
+#[cfg(unix)]
+fn test_path_with_prefixes(prefixes: &[&Path]) -> std::ffi::OsString {
+    let mut paths: Vec<_> = prefixes.iter().map(|path| path.to_path_buf()).collect();
+    paths.extend(env::split_paths(&env::var_os("PATH").unwrap_or_default()));
+    env::join_paths(paths).expect("join PATH")
+}
+
+#[cfg(unix)]
+fn fake_gh_script(dir: &Path) {
+    use std::os::unix::fs::PermissionsExt;
+
+    let path = dir.join("gh");
+    let script = r#"#!/bin/sh
+if [ "$1" = "auth" ] && [ "$2" = "token" ]; then
+  printf '%s\n' "$GITHUB_TOKEN"
+  exit 0
+fi
+printf 'fake gh passthrough %s\n' "$*"
+"#;
+    fs::write(&path, script).expect("write fake gh");
+    let mut perms = fs::metadata(&path).expect("metadata").permissions();
+    perms.set_mode(0o755);
+    fs::set_permissions(&path, perms).expect("chmod");
+}
+
+fn rtk_bin() -> &'static str {
+    env!("CARGO_BIN_EXE_rtk")
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_non_exec_passthrough_without_filters() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "status"])
+        .env("PATH", test_path(temp.path()))
+        .output()
+        .expect("run rtk direnv status");
+
+    assert!(output.status.success());
+    assert_eq!(
+        String::from_utf8_lossy(&output.stdout).trim(),
+        "real direnv passthrough status"
+    );
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_uses_builtin_filter_without_user_global_config() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "exec", ".", "env"])
+        .env("PATH", test_path(temp.path()))
+        .env("GITHUB_TOKEN", "ghp_secret_value")
+        .output()
+        .expect("run rtk direnv exec");
+
+    assert!(output.status.success());
+    assert!(
+        String::from_utf8_lossy(&output.stdout).contains("GITHUB_TOKEN=***"),
+        "stdout: {}",
+        String::from_utf8_lossy(&output.stdout)
+    );
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_redacts_stdout_and_stderr() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "exec", ".", "sh", "-lc", "printenv >&2; env"])
+        .env("PATH", test_path(temp.path()))
+        .env("GITHUB_TOKEN", "ghp_secret_value")
+        .env("OPENAI_API_KEY", "sk-secret_value")
+        .output()
+        .expect("run rtk direnv exec");
+
+    assert!(output.status.success());
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(stdout.contains("GITHUB_TOKEN=***"));
+    assert!(stderr.contains("GITHUB_TOKEN=***"));
+    assert!(!stdout.contains("ghp_secret_value"));
+    assert!(!stderr.contains("ghp_secret_value"));
+    assert!(stderr.contains("direnv: loading ./.envrc"));
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_unmatched_command_passthrough() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "exec", ".", "sh", "-lc", "printf 1"])
+        .env("PATH", test_path(temp.path()))
+        .output()
+        .expect("run rtk direnv passthrough");
+
+    assert!(output.status.success());
+    assert_eq!(String::from_utf8_lossy(&output.stdout), "1");
+    assert!(
+        String::from_utf8_lossy(&output.stderr).contains("direnv: loading ./.envrc"),
+        "stderr: {}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_user_global_override_applies() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+
+    #[cfg(target_os = "macos")]
+    let filters_path = temp
+        .path()
+        .join("Library")
+        .join("Application Support")
+        .join("rtk")
+        .join("filters.toml");
+    #[cfg(not(target_os = "macos"))]
+    let filters_path = temp.path().join(".config").join("rtk").join("filters.toml");
+
+    fs::create_dir_all(filters_path.parent().expect("config dir")).expect("mkdir config");
+    fs::write(
+        &filters_path,
+        r#"schema_version = 1
+
+[filters.direnv-user-override]
+description = "Override built-in direnv env filtering"
+match_command = "^direnv\\s+exec\\s+\\S+\\s+env(?:\\s|$)"
+keep_lines_matching = ["^GITHUB_TOKEN="]
+replace = [
+  { pattern = "^([A-Za-z_][A-Za-z0-9_]*)=.*$", replacement = "$1=USER" },
+]
+"#,
+    )
+    .expect("write user-global override");
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "exec", ".", "env"])
+        .env("PATH", test_path(temp.path()))
+        .env("HOME", temp.path())
+        .env("XDG_CONFIG_HOME", temp.path().join(".config"))
+        .env("GITHUB_TOKEN", "ghp_secret_value")
+        .env("OPENAI_API_KEY", "sk-secret_value")
+        .output()
+        .expect("run rtk direnv env with user-global override");
+
+    assert!(output.status.success());
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    assert!(stdout.contains("GITHUB_TOKEN=USER"));
+    assert!(!stdout.contains("OPENAI_API_KEY"));
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_respects_rtk_no_toml_bypass() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "exec", ".", "sh", "-lc", "printenv >&2; env"])
+        .env("PATH", test_path(temp.path()))
+        .env("RTK_NO_TOML", "1")
+        .env("GITHUB_TOKEN", "ghp_secret_value")
+        .output()
+        .expect("run rtk direnv exec with RTK_NO_TOML");
+
+    assert!(output.status.success());
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(stdout.contains("GITHUB_TOKEN=ghp_secret_value"));
+    assert!(stderr.contains("GITHUB_TOKEN=ghp_secret_value"));
+    assert!(!stdout.contains("GITHUB_TOKEN=***"));
+    assert!(!stderr.contains("GITHUB_TOKEN=***"));
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_real_source_up_redacts_gh_auth_token() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    let parent = temp.path().join("parent");
+    let child = parent.join("child");
+    let bin = temp.path().join("bin");
+    let xdg_config = temp.path().join(".config");
+    let xdg_data = temp.path().join(".local").join("share");
+
+    fs::create_dir_all(&child).expect("mkdir child");
+    fs::create_dir_all(&bin).expect("mkdir bin");
+    fs::create_dir_all(&xdg_config).expect("mkdir xdg config");
+    fs::create_dir_all(&xdg_data).expect("mkdir xdg data");
+    fs::write(
+        parent.join(".envrc"),
+        "export GITHUB_TOKEN=ghp_source_up_secret\n",
+    )
+    .expect("write parent .envrc");
+    fs::write(child.join(".envrc"), "source_up\n").expect("write child .envrc");
+    fake_gh_script(&bin);
+
+    let path = test_path_with_prefixes(&[&bin]);
+    let home = temp.path();
+
+    let parent_allow = Command::new("direnv")
+        .current_dir(&parent)
+        .arg("allow")
+        .env("PATH", &path)
+        .env("HOME", home)
+        .env("XDG_CONFIG_HOME", &xdg_config)
+        .env("XDG_DATA_HOME", &xdg_data)
+        .output()
+        .expect("direnv allow parent");
+    assert!(
+        parent_allow.status.success(),
+        "parent allow stderr: {}",
+        String::from_utf8_lossy(&parent_allow.stderr)
+    );
+
+    let child_allow = Command::new("direnv")
+        .current_dir(&child)
+        .arg("allow")
+        .env("PATH", &path)
+        .env("HOME", home)
+        .env("XDG_CONFIG_HOME", &xdg_config)
+        .env("XDG_DATA_HOME", &xdg_data)
+        .output()
+        .expect("direnv allow child");
+    assert!(
+        child_allow.status.success(),
+        "child allow stderr: {}",
+        String::from_utf8_lossy(&child_allow.stderr)
+    );
+
+    let output = Command::new(rtk_bin())
+        .current_dir(&child)
+        .args(["direnv", "exec", ".", "gh", "auth", "token"])
+        .env("PATH", &path)
+        .env("HOME", home)
+        .env("XDG_CONFIG_HOME", &xdg_config)
+        .env("XDG_DATA_HOME", &xdg_data)
+        .output()
+        .expect("run rtk direnv exec gh auth token");
+
+    assert!(output.status.success());
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(stdout.contains("***"), "stdout: {}", stdout);
+    assert!(
+        !stdout.contains("ghp_source_up_secret"),
+        "stdout: {}",
+        stdout
+    );
+    assert!(
+        !stderr.contains("ghp_source_up_secret"),
+        "stderr: {}",
+        stderr
+    );
+}
+
+#[cfg(unix)]
+#[test]
+fn direnv_exec_shell_wrapped_gh_auth_token_is_redacted() {
+    let temp = tempfile::tempdir().expect("tempdir");
+    fake_direnv_script(temp.path());
+    fake_gh_script(temp.path());
+
+    let output = Command::new(rtk_bin())
+        .args(["direnv", "exec", ".", "sh", "-lc", "gh auth token"])
+        .env("PATH", test_path(temp.path()))
+        .env("GITHUB_TOKEN", "ghp_wrapped_secret_value")
+        .output()
+        .expect("run rtk direnv exec sh -lc gh auth token");
+
+    assert!(output.status.success());
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    assert!(stdout.contains("***"), "stdout: {}", stdout);
+    assert!(!stdout.contains("ghp_wrapped_secret_value"), "stdout: {}", stdout);
+    assert!(
+        !stderr.contains("ghp_wrapped_secret_value"),
+        "stderr: {}",
+        stderr
+    );
+}