envpkt shell-hook
Generate a shell function that, on every directory change, loads the credentials for the
directory you’re in and restores your environment when you leave. It resolves the nearest
envpkt.toml (walking up from the current directory), injects that package, and prints a
one-line credential-health warning.
envpkt shell-hook <shell> # shell: zsh | bashenvpkt shell-hook <shell> --no-audit # omit the on-cd health-check line--no-audit drops step 4 (the audit spawn) from the emitted hook — useful on slower machines
where you don’t want the per-package-entry health check.
# zsh (~/.zshrc)eval "$(envpkt shell-hook zsh)"
# bash (~/.bashrc)eval "$(envpkt shell-hook bash)"Behavior
Section titled “Behavior”On each cd the hook:
- Resolves the package for the new directory via
envpkt config-path(walks up to the nearestenvpkt.toml, likegit/direnv). If it’s the same package as before — e.g. you moved between subdirectories of one project — it does nothing. - Restores the previous package’s variables to their prior values (or unsets them if they had none), so leaving a project never leaks its credentials into the next one.
- Injects the new package via
envpkt env export --track. Env defaults are always loaded; secret values load only when the package setsscope = "shell"— otherwise useenvpkt exec. - Warns on credential health via
envpkt audit --format minimal.
Decryption happens only when the resolved package changes (not on every cd), and only the
resolve step runs in subdirectories of the same project — so the hook stays cheap.
Related: envpkt config-path
Section titled “Related: envpkt config-path”The hook gates on envpkt config-path, a resolve-only command that prints the envpkt.toml
path for the current directory (empty if none) — no decryption, no boot. It’s handy in scripts
too:
envpkt config-path # /Users/me/proj/envpkt.toml (from anywhere in proj/)See the Shell Hooks integration for the full setup.