envpkt secret
CRUD subcommands for [secret.*] entries. All writes preserve file formatting and can be previewed with --dry-run.
envpkt secret add <name> [options]envpkt secret edit <name> [options]envpkt secret rm <name> [options]envpkt secret rename <old> <new> [options]envpkt secret alias <name> --from secret.<TARGET> [options]secret add
Section titled “secret add”Create a new [secret.<name>] block with metadata. Errors if <name> already exists.
| Option | Description |
|---|---|
-c, --config <path> | Path to envpkt.toml |
--service <name> | Service this secret authenticates to |
--purpose <text> | Why this secret exists |
--comment <text> | Free-form annotation |
--expires <date> | Expiration date (YYYY-MM-DD) |
--capabilities <cs> | Comma-separated capabilities (e.g., read,write) |
--rotates <sched> | Rotation schedule (e.g., 90d, quarterly) |
--rate-limit <info> | Rate limit info (e.g., 1000/min) |
--model-hint <hint> | Suggested model or tier |
--source <origin> | Where the value comes from (e.g., vault, ci) |
--rotation-url <u> | URL for rotation procedure |
--tags <pairs> | Comma-separated key=value tags |
--required | Mark secret as required |
--dry-run | Preview the TOML block without writing |
envpkt secret add STRIPE_API_KEY \ --service stripe \ --purpose "Payment processing" \ --expires 2026-06-30 \ --capabilities "charges,refunds" \ --rotates 90d \ --requiredsecret edit
Section titled “secret edit”Update fields on an existing secret. Supports every secret add option plus --no-required to unset the required flag. Errors if <name> doesn’t exist. Use --dry-run to preview.
envpkt secret edit STRIPE_API_KEY --expires 2026-12-31 --rotates 60denvpkt secret edit STRIPE_API_KEY --no-requiredsecret rm
Section titled “secret rm”Remove a secret entry from the file.
| Option | Description |
|---|---|
-c, --config <path> | Path to envpkt.toml |
--dry-run | Preview the result without writing |
envpkt secret rm STRIPE_API_KEYenvpkt secret rm STRIPE_API_KEY --dry-runsecret rename
Section titled “secret rename”Rename a secret, preserving all metadata.
| Option | Description |
|---|---|
-c, --config <path> | Path to envpkt.toml |
--dry-run | Preview the result without writing |
envpkt secret rename STRIPE_API_KEY STRIPE_SECRET_KEYsecret alias
Section titled “secret alias”Create an alias entry that reuses another secret’s resolved value — useful when a consumer hardcodes a different env var name than the one you govern canonically. See Aliases for the feature overview.
| Option | Description |
|---|---|
--from <ref> | Required. Target reference, must be secret.<KEY> |
-c, --config <path> | Path to envpkt.toml |
--purpose <text> | Why this alias exists (local metadata, not inherited) |
--comment <text> | Free-form annotation |
--tags <pairs> | Comma-separated key=value tags |
--force | Overwrite the entry if <name> already exists |
--dry-run | Preview the TOML block without writing |
# Basic alias — STRIPE_LEGACY_KEY resolves to STRIPE_API_KEY's valueenvpkt secret alias STRIPE_LEGACY_KEY --from secret.STRIPE_API_KEY
# With local metadataenvpkt secret alias STRIPE_LEGACY_KEY \ --from secret.STRIPE_API_KEY \ --purpose "Legacy env var name the older SDK still reads"
# Overwrite protection — without --force, warns and exits if name existsenvpkt secret alias STRIPE_LEGACY_KEY --from secret.STRIPE_API_KEY# Warning: secret "STRIPE_LEGACY_KEY" already exists. Pass --force to overwrite.
envpkt secret alias STRIPE_LEGACY_KEY --from secret.STRIPE_API_KEY --forceRejection rules (enforced at write time)
Section titled “Rejection rules (enforced at write time)”| Case | Behavior |
|---|---|
--from missing or not secret.<KEY> | Exit with error |
--from points at an env.* entry | Reject — use envpkt env alias for env aliases |
| Target doesn’t exist in config | Reject — add the target secret first |
| Target is itself an alias | Reject — chained aliases are not supported |
<name> equals the target key | Reject — self-reference |
<name> already exists without --force | Warn and exit; report whether existing entry was regular or another alias |
At runtime the load-time validator re-checks these rules, so configs hand-edited to bypass the CLI checks still fail to boot with a clear AliasError (see Error Types).
- Secret values are not stored by any
secretsubcommand — only metadata. Useenvpkt sealto encrypt values intoencrypted_value, or letboot()resolve them from fnox at runtime. - Every subcommand supports
--dry-runto preview the resulting file without writing. -c, --config <path>defaults to the standard discovery chain (CWD →ENVPKT_CONFIG→~/.envpkt/→ cloud storage).