You simply encrypt a covenant opcode circuit containing a particular private key, e.g., CTV.

let F be your encrypted function under PK P.

F takes as input a tx A, a covenant program C, and outputs signature of A under P tweaked by C (P_C) if C(A) = true.

If A's input is spendable by P_C, this is a covenant opcode with a one time trusted setup.

if you want to have a one-time one-time setup, you could even encrypt a covenant opcode compiler that outputs FE functions with the new opcodes you design.

these FE covenants are superior in all ways shapes and forms to script covenants except two:

they require a one-time trusted setup ceremony and use crypto that is not very well developed.

otherwise, they are basically a ZKP that a txn satisfies a covenant expressed as a PK

so script sizes are always more or less constant and they are indistinguishable from normal spends.

you don't even really need taproot script path, just keyspends should work in theory as you can lift all the scripts inside the function