envpkt env export
Output export KEY='VALUE' statements that can be eval’d to inject secrets into the current shell session. Secrets are resolved via sealed packets and/or fnox — the same pipeline as envpkt exec, but without spawning a subprocess.
envpkt env export [options]Options
Section titled “Options”| Option | Description | Default |
| --------------------- | ------------------------------------------------------------------------ | ------------- |
| -c, --config <path> | Path to envpkt.toml | Auto-detected |
| --profile <profile> | fnox profile to use | Default |
| --skip-audit | Skip the pre-flight audit | false |
| --track | Emit prior-value snapshots + an _ENVPKT_INJECTED list for a shell hook | false |
Scope and the explicit vs. ambient paths
Section titled “Scope and the explicit vs. ambient paths”Plain envpkt env export is an explicit invocation — it emits all resolved secrets (and env
defaults), regardless of the package’s scope. So
eval "$(envpkt env export)" loads everything, as you’d expect.
scope only gates the ambient path — env export --track, which the
shell hook uses to load credentials automatically on cd:
scope = "exec"(default) —--trackemits only env defaults; secrets are withheld (useenvpkt execfor those).scope = "shell"—--trackalso emits secret values, so the hook loads them ambiently.
This keeps an explicit env export from ever silently withholding, while ambient cd-loading
stays scoped. envpkt exec, env github, and env dotenv
always resolve everything regardless of scope.
Examples
Section titled “Examples”# Source secrets into the current shelleval "$(envpkt env export)"
# Use a specific fnox profileeval "$(envpkt env export --profile staging)"
# Specify config patheval "$(envpkt env export -c path/to/envpkt.toml)"Shell Startup
Section titled “Shell Startup”Add to ~/.zshrc or ~/.bashrc for automatic secret loading:
eval "$(envpkt env export 2>/dev/null)"Warnings are emitted to stderr so they don’t pollute the eval output.
How It Works
Section titled “How It Works”- Resolves
envpkt.tomlvia the config discovery chain (CWD →ENVPKT_CONFIG→~/.envpkt/→ cloud storage →ENVPKT_SEARCH_PATH) - If config is loaded from outside CWD, prints the resolved path to stderr
- Decrypts sealed packets and/or resolves via fnox
- Outputs
export KEY='VALUE'for each resolved secret to stdout - Emits any warnings to stderr
Values containing single quotes are safely escaped (' becomes '\'').
Namespace
Section titled “Namespace”If the config declares a [namespace],
the emitted export statements use the wire name (e.g. CIV__API_KEY), not
the logical TOML key — so the variable you eval into your shell matches what the
consumer reads. This is why the separator must be shell-safe (_/__):
$ envpkt env exportexport CIV__API_KEY='sk-...'export CIV__LOG_LEVEL='info'Aliases
Section titled “Aliases”Entries with from_key (see Aliases) are
exported as separate export statements alongside their target, each holding
the same resolved value. If the target resolves, its aliases resolve; if the
target is skipped, aliases are skipped too.
--track (for shell hooks)
Section titled “--track (for shell hooks)”--track makes the output safe for a directory-change hook that loads a package on cd and
restores the previous environment on leave. For each variable it emits an in-shell snapshot of
the prior value plus a presence marker, then the assignment, and finally an _ENVPKT_INJECTED
list of the names it set:
$ envpkt env export --track_ENVPKT_HAD_CIV__API_KEY=${CIV__API_KEY+1}; _ENVPKT_PREV_CIV__API_KEY="${CIV__API_KEY-}"; export CIV__API_KEY='sk-...'_ENVPKT_INJECTED='CIV__API_KEY'A hook unsets/restores the names in _ENVPKT_INJECTED before loading the next directory’s
package, so leaving a project doesn’t leak its variables into the next. Plain env export
(without --track) output is unchanged.