Skip to content
envpacket / envpkt

CLI Overview

Commands

Section titled “Commands”

| Command | Description | | --------------------------------------- | ------------------------------------------------------ | | envpkt init | Generate an envpkt.toml template | | envpkt keygen | Generate age keypair for sealing secrets | | envpkt audit | Check credential health against lifecycle policies | | envpkt inspect | Display a structured view of the config | | envpkt resolve | Resolve catalog references into a flat config | | envpkt fleet | Scan directory tree and aggregate health | | envpkt exec | Pre-flight audit, inject secrets, run a command | | envpkt secret | Manage [secret.*] entries (add/edit/rm/rename/alias) | | envpkt env CRUD | Manage [env.*] entries (add/edit/rm/rename/alias) | | envpkt env scan | Auto-discover credentials from shell environment | | envpkt env check | Bidirectional drift detection | | envpkt env export | Output export statements for sourcing secrets | | envpkt shell-hook | Output shell function for ambient warnings | | envpkt mcp | Start the MCP server |

Global Options

Section titled “Global Options”

All commands support:

  • --help — Show help for the command
  • --version — Show envpkt version

Config Resolution

Section titled “Config Resolution”

Commands that read envpkt.toml (audit, inspect, resolve, exec, env check, env export) follow this resolution chain:

  1. Explicit -c path/to/envpkt.toml flag
  2. ENVPKT_CONFIG environment variable
  3. envpkt.toml in the current working directory
  4. ENVPKT_SEARCH_PATH (colon-separated list of candidate paths)
  5. Built-in search locations:
    • ~/.envpkt/envpkt.toml
    • OneDrive — macOS (~/OneDrive/, ~/Library/CloudStorage/OneDrive-*/), Windows ($USERPROFILE/OneDrive/, $OneDrive/), WSL (/mnt/c/Users/$USER/OneDrive/)
    • iCloud (~/Library/Mobile Documents/com~apple~CloudDocs/.envpkt/)
    • Dropbox (~/Dropbox/.envpkt/, $DROPBOX_PATH/.envpkt/)
    • Google Drive (~/Google Drive/My Drive/, ~/Library/CloudStorage/GoogleDrive-*/, $GOOGLE_DRIVE/)

When a config is loaded from outside CWD, envpkt prints the resolved path to stderr for transparency.

If a catalog field is present, it’s resolved relative to the config file’s directory.

Exit Codes

Section titled “Exit Codes”

| Code | Meaning | | ---- | ------------------------------------- | | 0 | Healthy — all secrets pass audit | | 1 | Degraded — some secrets have warnings | | 2 | Critical — expired or missing secrets |

See Exit Codes reference for details.