Use when managing environment variables across projects, working with .env files, setting up project secrets, or using the envault CLI tool for centralized env var management
/plugin marketplace add altic-dev/envault/plugin install altic-dev-envault-manager@altic-dev/envaultThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Envault is a centralized environment variable management CLI tool that stores variables in a SQLite database (~/.envault/envault.db) while keeping .env files in sync. It uses git repository roots to identify projects and provides a structured, AI-friendly interface for managing environment variables across multiple projects and environments.
Core principle: One database for all projects, with bidirectional sync between the database (store) and project .env files.
Before using envault, always check if it's installed:
# Check if envault is installed and get version
envault --version
# If not installed, you'll see: "command not found: envault"
# If installed, you'll see: "envault 0.1.0" (or current version)
If envault is not installed, install it:
Using Bun (recommended):
bun install -g envault-manager
Using npm:
npm install -g envault-manager
Verify installation:
# Should show version number
envault --version
# Should show help menu
envault --help
Use envault when:
.env files to import into centralized management| Command | Purpose | Example |
|---|---|---|
envault project list | List all tracked projects | envault project list --json |
envault env list | List environments in current or specified project | envault env list --project backend |
envault var list | List variables (with partial value display) | envault var list --env prod |
envault var get <KEY> | Get full value of a variable | envault var get DATABASE_URL |
envault var set <KEY> | Set variable (interactive/secure mode) | envault var set API_KEY --env prod |
envault var unset <KEY> | Remove a single variable | envault var unset OLD_KEY |
envault var clear | Remove all variables (with confirmation) | envault var clear --env dev --yes |
envault var copy <project> | Copy variables from another project | envault var copy backend --from-env prod --env staging |
envault sync | Sync store → project (write .env files) | envault sync |
envault sync --from project | Sync project → store (import .env files) | envault sync --from project |
Envault maps .env files to environment names:
| File | Environment Name |
|---|---|
.env | default |
.env.dev | dev |
.env.prod | prod |
.env.staging | staging |
.env.<custom> | <custom> |
Important notes:
--env flag is omitted, envault uses default environment (mapped to .env file).env.<name> file creates a <name> environment (e.g., .env.production → production env, not prod)dev, prod, staging) to avoid confusionenvault project listList all tracked projects in the database.
# Human-readable format
envault project list
# JSON format
envault project list --json
Output: Shows project name and absolute path for each tracked project.
envault env listList environments for current repo or a specific project.
# Current repo
envault env list
# Specific project by name
envault env list --project backend
# JSON output
envault env list --json
Flags:
--project <name> or -p <name>: Target a tracked project by name--json: Output as JSON arrayenvault var listList all variables with partial value display (first4...last4 for security).
# Current repo, all environments
envault var list
# Specific project
envault var list --project backend
# Filter by environment
envault var list --env prod
# Combine filters with JSON output
envault var list --project frontend --env staging --json
Flags:
--project <name> or -p <name>: Target a tracked project--env <env>: Filter by environment--json: Output as JSONOutput format: Variables grouped by environment, values shown as xxxx...xxxx (masked).
envault var get <KEY>Retrieve the full, unmasked value of a variable (prints to stdout).
# Get from default environment
envault var get DATABASE_URL
# Get from specific environment
envault var get API_KEY --env prod
Use case: Piping values to other commands or viewing full secrets.
Security note: Output goes to stdout, so avoid logging or displaying in insecure contexts.
envault var set <KEY>Add or update an environment variable.
Interactive mode (RECOMMENDED for secrets):
# Hidden input prompt (value NOT in shell history)
envault var set API_KEY
# Multi-line value (certificates, private keys)
envault var set SSL_CERT --multiline
Non-interactive mode (for non-sensitive values only):
# Positional value (WARNING: appears in shell history)
envault var set DEBUG true
# Flag-based value (WARNING: appears in shell history)
envault var set PORT --value 3000
With environment:
# Set in production environment
envault var set DATABASE_URL --env prod
Behavior:
.env file immediatelyFlags:
--env <env>: Target environment (default: default)--value <value>: Non-interactive value (avoid for secrets)--multiline: Enable multi-line input (Ctrl+D to finish)envault var unset <KEY>Remove a single variable from an environment.
# Unset from default environment (with confirmation)
envault var unset OLD_API_KEY
# Unset from specific environment
envault var unset TEMP_TOKEN --env staging
Behavior:
.env fileenvault var clearRemove all variables from a project or environment.
# Clear all environments in current repo (with confirmation)
envault var clear
# Clear specific environment only
envault var clear --env dev
# Clear without confirmation
envault var clear --env test --yes
# Clear variables in a tracked project (store only)
envault var clear --project old-app --yes
Flags:
--project <name> or -p <name>: Target a tracked project (store only; doesn't update .env files)--env <env>: Clear specific environment only--yes or -y: Skip confirmation promptImportant: When using --project, only the database is modified. Run envault sync in that project directory to update .env files.
envault var copy <fromProject>Copy variables from another tracked project into the current repository.
Copy all variables (preserves environments):
# Copy all variables from all environments
envault var copy backend
# Copy all from specific source environment to same environment
envault var copy backend --from-env prod
Copy specific variable:
# Auto-detect which environment contains the key
envault var copy backend DATABASE_URL
# Copy from specific source to target environment
envault var copy backend DATABASE_URL --from-env prod --env staging
Flags:
--from-env <env>: Source environment (default: all environments or auto-detect)--env <env> or --to-env <env>: Target environment (default: same as source)Behavior:
.env files in current repoenvault syncSync between database (store) and project files.
Default: Store → Project (write .env files from database):
envault sync
Reverse: Project → Store (import .env files into database):
envault sync --from project
Direction:
envault sync): Reads variables from database and writes to .env* files in current repo--from project: Reads .env* files from current repo and imports into databaseUse cases:
.env files, or after manually editing filesBehavior:
.env* files in git repository root.env → default, .env.dev → dev, etc.).env syntax before importingcd my-new-project
git init # Required
# Add variables interactively (secure)
envault var set DATABASE_URL
envault var set API_KEY
envault var set JWT_SECRET
# Check what was created
envault var list
cat .env # Variables now in .env file
# Set up development
envault var set DATABASE_URL --env dev
envault var set DEBUG --value true --env dev
# Set up production
envault var set DATABASE_URL --env prod
envault var set DEBUG --value false --env prod
# List all environments
envault env list
# View production variables
envault var list --env prod
cd my-frontend
# Copy all variables from backend
envault var copy backend
# Copy specific variable
envault var copy backend API_BASE_URL
# Copy prod to staging
envault var copy backend --from-env prod --env staging
cd existing-project
# Import all .env* files into database
envault sync --from project
# Verify import
envault var list
# From any directory, list variables in another project
envault var list --project backend --env prod
# Clear variables in a different project
envault var clear --project old-project --yes
# Note: .env files only update when you run sync IN that project directory
envault var set API_KEY (no value arg)--multiline for certificates and multi-line secretsvar get output in pipes carefully (avoid logging)chmod 600)envault var set KEY value for secrets (appears in shell history)--value flag for sensitive data.env files to git (envault doesn't prevent this)Important: Envault is NOT a secrets management tool like HashiCorp Vault or AWS Secrets Manager. It stores values as plaintext (same as .env files) and relies on filesystem permissions for security. Its value is in centralized management and workflow improvement, not encryption.
| Mistake | Fix |
|---|---|
| Using envault without checking if installed | Always run envault --version first. If not found, install with bun install -g envault-manager |
| Running outside git repo | Run git init first - envault requires git for project detection |
| Wrong sync direction | envault sync = store→project (default). Use --from project to import files |
| Environment name confusion | Use simple names: dev, prod, staging (not development, production) |
Expecting .env.production | File should be .env.prod (environment name, not full word) |
Using --project with var set | var set only works in current repo. cd to target project first |
Forgetting --env flag | Defaults to default environment (.env file) |
| Overwrite without confirmation | Most commands prompt for confirmation; use --yes to skip (use carefully) |
| Shell history exposure | Use interactive mode (no value arg) to avoid secrets in history |
| Clearing wrong environment | Double-check --env flag before confirming var clear |
| Error | Meaning | Solution |
|---|---|---|
command not found: envault | Envault is not installed on the system | Install with bun install -g envault-manager, then verify with envault --version |
Error: Not in a git repository | Current directory is not in a git repo | Run git init or cd to a git repository |
Error: Project not tracked yet | Project not in database | Run envault var set <KEY> or envault sync --from project to initialize |
Error: Variable 'KEY' not found | Variable doesn't exist in specified environment | Check with envault var list or set with envault var set |
Error: Project 'name' not found | No tracked project with that name | Check envault project list for available projects |
Error: Failed to parse .env | Syntax error in .env file | Fix syntax error at reported line number before syncing |
Many commands support --json flag for programmatic use:
# Get structured project data
envault project list --json
# Get environment list as array
envault env list --json
# Get variables as structured data
envault var list --json
Use case: Parsing output in scripts, CI/CD pipelines, or when building tools on top of envault.
Envault automatically identifies projects by their git repository root (absolute path). This means:
var set or sync --from projectTo work across machines, use envault sync --from project to re-import on each machine, or use the var copy command to share variables between tracked projects.
This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.