Purpose
Manage environment variables safely: validate required vars are set, generate .env.example, document variables, and detect accidentally committed secrets.
Arguments
--validate— Check all required env vars are set (default)--generate-example— Create/update.env.examplefrom.env--document— Generate ENV.md documentation--check-secrets— Scan for secrets in codebase
What gets created/updated
.env.example # Template with placeholders
ENV.md # Documentation of all variables
.gitignore # Ensure .env is ignored
Environment file hierarchy
.env # Local overrides (git-ignored)
.env.local # Local secrets (git-ignored)
.env.development # Dev defaults (committed)
.env.production # Prod defaults (committed, no secrets)
.env.example # Template (committed)
Validation rules
For each variable, specify:
- required — Must be set
- optional — May be empty
- format — URL, email, number, boolean, etc.
- secret — Should never be committed
.env.example format
# Database
MONGODB_URI=mongodb://localhost:27017/myapp # Required: MongoDB connection string
# Auth (obtain from Google Cloud Console)
GOOGLE_CLIENT_ID= # Required: OAuth client ID
GOOGLE_CLIENT_SECRET= # Required: OAuth client secret (secret)
# Optional
LOG_LEVEL=info # Optional: debug|info|warn|error
Workflow
Validate (--validate)
- Load env schema (from code or config)
- Check each required var is set
- Validate formats
- Report missing/invalid
Generate example (--generate-example)
- Read current
.env - Redact secret values
- Add placeholder comments
- Write
.env.example
Document (--document)
- Parse all env vars from codebase
- Extract from schema (Zod, etc.)
- Generate ENV.md with descriptions
Check secrets (--check-secrets)
- Scan codebase for env patterns
- Detect hardcoded secrets
- Report violations
Output
- Validation results (pass/fail per var)
- Files created/updated
- Warnings for potential issues
Reference
For schema patterns and validation, see reference/shared-env-reference.md