Purpose
Manage environment variables safely: validate required vars are set, generate .env.example, document variables, and detect accidentally committed secrets.
Arguments
- •
--validate— Check all required env vars are set (default) - •
--generate-example— Create/update.env.examplefrom.env - •
--document— Generate ENV.md documentation - •
--check-secrets— Scan for secrets in codebase
What gets created/updated
code
.env.example # Template with placeholders ENV.md # Documentation of all variables .gitignore # Ensure .env is ignored
Environment file hierarchy
code
.env # Local overrides (git-ignored) .env.local # Local secrets (git-ignored) .env.development # Dev defaults (committed) .env.production # Prod defaults (committed, no secrets) .env.example # Template (committed)
Validation rules
For each variable, specify:
- •required — Must be set
- •optional — May be empty
- •format — URL, email, number, boolean, etc.
- •secret — Should never be committed
.env.example format
bash
# Database MONGODB_URI=mongodb://localhost:27017/myapp # Required: MongoDB connection string # Auth (obtain from Google Cloud Console) GOOGLE_CLIENT_ID= # Required: OAuth client ID GOOGLE_CLIENT_SECRET= # Required: OAuth client secret (secret) # Optional LOG_LEVEL=info # Optional: debug|info|warn|error
Workflow
Validate (--validate)
- •Load env schema (from code or config)
- •Check each required var is set
- •Validate formats
- •Report missing/invalid
Generate example (--generate-example)
- •Read current
.env - •Redact secret values
- •Add placeholder comments
- •Write
.env.example
Document (--document)
- •Parse all env vars from codebase
- •Extract from schema (Zod, etc.)
- •Generate ENV.md with descriptions
Check secrets (--check-secrets)
- •Scan codebase for env patterns
- •Detect hardcoded secrets
- •Report violations
Output
- •Validation results (pass/fail per var)
- •Files created/updated
- •Warnings for potential issues
Reference
For schema patterns and validation, see reference/shared-env-reference.md