Envault
Let agents safely manage env variables
README
Envault
Centralized environment variable management for developers and AI agents.
Envault is a CLI tool that helps you manage environment variables across multiple projects with a simple, consistent interface. It stores variables in a centralized SQLite database while keeping your .env files in sync.
Features
- Centralized Management: One database for all your projects' environment variables
- Multi-Environment Support: Manage dev, staging, prod, and custom environments
- Cross-Project Sharing: Copy variables between projects easily
- AI Agent Friendly: Structured commands instead of direct file manipulation
- Interactive & Secure: Hidden input for sensitive values, no shell history exposure
- Git-Based Projects: Automatic project detection via git repository root
- Partial Value Display: Shows masked values (first4...last4) for security
Using envault as a skill
The envault skill allows AI terminal agents to manage environment variables on your behalf using structured commands instead of direct file manipulation.
Claude Code
Install the envault skill from the marketplace:
/plugin marketplace add altic-dev/envault
/plugin install envault-manager
Codex (OpenAI)
Copy the skill file to your Codex skills directory:
mkdir -p ~/.codex/skills
cp skills/envault-manager/SKILL.md ~/.codex/skills/envault-manager.md
Then restart Codex to load the skill.
OpenCode
Copy the skill file to your OpenCode skills directory:
mkdir -p ~/.opencode/skills/envault-manager
cp skills/envault-manager/SKILL.md ~/.opencode/skills/envault-manager/SKILL.md
Then restart OpenCode to load the skill.
Amp
Copy the skill file to your Amp skills directory:
mkdir -p ~/.config/agents/skills/envault-manager
cp skills/envault-manager/SKILL.md ~/.config/agents/skills/envault-manager/SKILL.md
Then restart Amp to load the skill.
Installation
Using Bun (recommended)
bun install -g envault-manager
Using npm
npm install -g envault-manager
From source
git clone https://github.com/altic-dev/envault.git
cd envault
bun install
bun run build
bun link
Quick Start
# Initialize (automatic on first use)
cd /path/to/your/project
# Add a variable (interactive mode - recommended for secrets)
envault var set DATABASE_URL
# Add with inline value (appears in shell history)
envault var set DEBUG true
# List all variables in the current repo
envault var list
# Get a specific value
envault var get DATABASE_URL
# Sync existing .env files to database
envault sync
Commands
Envault uses a noun + verb interface optimized for both humans and AI agents.
envault project
List tracked projects in the store.
# List all projects
envault project list
# Output as JSON
envault project list --json
envault env
List environments for the current repo (default) or a tracked project.
# List environments for current repo
envault env list
# List environments for a tracked project by name
envault env list --project my-app
# Alias for --project
envault env list -p my-app
# Output as JSON
envault env list --json
envault var
Manage variables for the current repo (default) or a tracked project.
# List variables for current repo
envault var list
# List variables for a tracked project
envault var list --project my-app
# Filter by environment
envault var list --env prod
# Output as JSON
envault var list --json
# Get a specific value (prints plaintext to stdout)
envault var get DATABASE_URL
# Set interactively (hidden input)
envault var set API_KEY
# Set with inline value (WARNING: appears in shell history)
envault var set DEBUG true
# Set with non-interactive flag (quote if it contains spaces)
envault var set API_KEY --value "secret"
# Multiline value (Ctrl+D to finish)
envault var set SSL_CERT --multiline
# Unset (remove) a variable (with confirmation)
envault var unset OLD_VAR
# Clear (remove) ALL variables in a project (with confirmation unless --yes)
envault var clear
# Clear variables for one environment only
envault var clear --env prod
# Clear variables for a tracked project by name (store only; run sync in that repo to update .env files)
envault var clear --project my-app --yes
# Copy variables from another tracked project into the current repo
envault var copy backend
envault var copy backend DATABASE_URL --from-env prod --env staging
envault sync
Sync variables between your project (.env* files) and the store (database).
# Sync store โ project (default): write .env* files from database
envault sync
# Sync project โ store (.env* โ db): import .env* into the store
envault sync --from project
File mapping:
.envโdefaultenvironment.env.devโdevenvironment.env.prodโprodenvironment.env.<custom>โ<custom>environment
envault help
Get help for any command.
# Global help
envault --help
# Command-specific help
envault help var set
Workflow Examples
Setting up a new project
cd my-new-project
git init
# Add variables interactively
envault var set DATABASE_URL
envault var set API_KEY
envault var set JWT_SECRET
# Variables are now in both database and .env file
cat .env
Managing multiple environments
# Add production variables
envault var set DATABASE_URL --env prod
envault var set API_KEY --env prod
# Add development variables
envault var set DATABASE_URL --env dev
envault var set DEBUG true --env dev
# List all environments
envault env list
Copying variables between projects
cd my-frontend
# Copy DATABASE_URL from backend project
envault var copy backend DATABASE_URL
# Copy all prod variables to local staging
envault var copy backend --from-env prod --env staging
Migrating existing .env files
cd existing-project
# Import your existing .env files into the store
envault sync --from project
# Now managed by envault
envault var list
How It Works
Project Detection
Envault uses git repository roots to identify projects. Each project is uniquely identified by its absolute path on your system.
Storage
- Database:
~/.envault/envault.db(SQLite, plaintext) - Permissions: Database file is
chmod 600(owner read/write only) - .env Files: Remain in your project directories, synced with database
Security Model
Envault is not an encryption or secrets management tool. It's a workflow and organization tool that:
- Stores values as plaintext (same as
.envfiles) - Relies on filesystem permissions for security
- Helps prevent accidental exposure via shell history (interactive mode)
- Provides partial value display for quick verification
For true secrets management, use tools like HashiCorp Vault, AWS Secrets Manager, or similar.
Requirements
- Bun >= 1.0.0 (or Node.js with appropriate modifications)
- Git (for project detection)
Development
# Clone repository
git clone https://github.com/altic-dev/envault.git
cd envault
# Install dependencies
bun install
# Run in development mode
bun run dev
# Build for production
bun run build
# Run tests
bun test
Contributing
Contributions welcome! Please open an issue or PR.
Acknowledgments
Built with Bun - a fast all-in-one JavaScript runtime.
