# EnvForge CLI Reference > Generated for EnvForge v0.7.4 ## Quick Recipes Jump to a solution: | I want to... | Command(s) | |---|---| | Protect a project from AI agents | `envforge fence` → `envforge ai-hook install claude-code` → `envforge mcp harden` | | Sync env vars across machines | `envforge sync init` → `envforge sync mark --all --sync` → `envforge sync push` | | Pull secrets from Vault/AWS | `envforge secrets config vault --set token=x` → `envforge secrets pull --from vault --path secret/myapp` → `envforge run --resolve -- cmd` | | Validate .env in CI/CD | `envforge validate --schema .env.schema --env .env.production` | | Find unused secrets | `envforge analytics unused` → `envforge analytics deprecation` | | Set up a new project | `envforge project init` → `envforge schema generate` → `envforge init` | | Share secrets with a teammate | `envforge share create --recipient age1... --all --output secrets.age` | | Rotate stale secrets | `envforge rotate --stale --propagate` | | Run a health check | `envforge check` / `envforge doctor --verbose` | | Export for Kubernetes | `envforge export --format k8s --k8s-name app-secrets` | | Scan for leaked secrets | `envforge scan --staged` / `envforge scan --mcp` | | Generate shell completions | `envforge completions zsh --install` | | Monitor secret infrastructure | `envforge monitor status` / `envforge monitor stream` | | Automate secret lifecycle | `envforge lifecycle rule list` → `envforge lifecycle check` | Commands support `--json` for machine output and `--dry-run` for preview. ## Global Flags Every command accepts these flags: | Flag | Description | |------|-------------| | `--json` | Output in JSON format | | `--dry-run` | Preview changes without writing to disk | | `-h, --help` | Print help | | `-V, --version` | Print version | --- ## Variable Management ### envforge list List all environment variables with optional filtering, grouping, and sorting. ``` Usage: envforge list [OPTIONS] ``` | Flag | Description | |------|-------------| | `--filter ` | Filter entries by key pattern (substring match) | | `--group ` | Group entries by prefix or tag (`prefix`, `tag`) | | `--sort ` | Sort order: `key`, `value`, `file` [default: key] | | `--reverse` | Reverse sort order | **Examples:** ```bash # List all variables envforge list # List matching a pattern envforge list --filter DB # Group by prefix envforge list --group prefix # Sort by value, descending envforge list --sort value --reverse # List as JSON envforge list --json ``` --- ### envforge get Get the value of a specific variable. ``` Usage: envforge get [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name | **Examples:** ```bash envforge get DATABASE_URL envforge get API_KEY --json ``` --- ### envforge set Set a variable (create or update). ``` Usage: envforge set [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | KEY=VALUE pair | **Examples:** ```bash envforge set DATABASE_URL=postgres://localhost/mydb envforge set API_KEY=sk-abc123 --dry-run envforge set NODE_ENV=production --json ``` --- ### envforge delete Soft-delete a variable. ``` Usage: envforge delete [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name | **Examples:** ```bash envforge delete OLD_API_KEY envforge delete TEMP_VAR --dry-run ``` --- ### envforge copy Copy a variable's value to clipboard. ``` Usage: envforge copy [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name | | Flag | Description | |------|-------------| | `--key-only` | Copy key name instead of value | **Examples:** ```bash envforge copy DATABASE_URL envforge copy API_KEY --json envforge copy MY_VAR --key-only ``` --- ### envforge move Move a variable to the reference file, or rename in-place. ``` Usage: envforge move [OPTIONS] [NEW_KEY] ``` | Argument | Description | |----------|-------------| | `` | Variable name | | `[NEW_KEY]` | New key name (renames in-place if provided) | **Examples:** ```bash # Move a variable to the reference file envforge move LEGACY_KEY # Rename a variable in-place envforge move OLD_NAME NEW_NAME # Preview the move envforge move OLD_SECRET --dry-run ``` --- ### envforge search Search environment variables by substring or fuzzy matching. ``` Usage: envforge search [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Search term (matches keys and values) | | Flag | Description | |------|-------------| | `--fuzzy` | Use fuzzy matching (default is substring match) | **Examples:** ```bash # Substring search envforge search db # Fuzzy search envforge search "database" --fuzzy # JSON output envforge search api --json ``` Sensitive values are automatically masked in output (e.g., `sk-ab***56`). --- ### envforge duplicates Detect and list duplicate keys. ``` Usage: envforge duplicates [OPTIONS] ``` **Examples:** ```bash envforge duplicates envforge duplicates --json ``` --- ### envforge diff Show pending changes as a diff. ``` Usage: envforge diff [OPTIONS] ``` **Examples:** ```bash envforge diff envforge diff --json ``` --- ### envforge explain Show all known info about a single environment variable (schema, history, provider). ``` Usage: envforge explain [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name to explain | **Examples:** ```bash envforge explain DATABASE_URL envforge explain API_KEY --json ``` --- ### envforge deps Show where an environment variable is referenced across your project. ``` Usage: envforge deps [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name | | Flag | Description | |------|-------------| | `--source` | Include source code scanning (slower) | **Examples:** ```bash envforge deps DATABASE_URL envforge deps API_KEY --source envforge deps SECRET_KEY --json ``` --- ## Import & Export ### envforge import Import variables from a .env file. ``` Usage: envforge import [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Path to .env file | | Flag | Description | |------|-------------| | `--force` | Overwrite existing keys without prompting | **Examples:** ```bash envforge import .env.backup envforge import .env.production --force envforge import .env.staging --dry-run ``` --- ### envforge export Export variables to various formats. ``` Usage: envforge export [OPTIONS] [PATH] ``` | Argument | Description | |----------|-------------| | `[PATH]` | Output file path (stdout if omitted) | | Flag | Description | |------|-------------| | `--exclude-sensitive` | Exclude sensitive keys (SECRET, TOKEN, PASSWORD, etc.) | | `--safe` | Redact sensitive values as [REDACTED] (safe for AI tools) | | `--env-example` | Generate .env.example from schema with placeholder values | | `--filter ` | Only export entries matching this query | | `--format ` | Output format: `dotenv`, `json`, `yaml`, `toml`, `docker`, `k8s`, `tfvars` | | `--k8s-name ` | Kubernetes Secret name (for k8s format, default: envforge-secrets) | | `--k8s-namespace ` | Kubernetes namespace (for k8s format, default: default) | **Examples:** ```bash # Export to stdout envforge export # Export to a file envforge export .env.backup # Export as YAML envforge export --format yaml # Export as Kubernetes Secret manifest envforge export --format k8s --k8s-name my-app-secrets --k8s-namespace prod # Export excluding sensitive values envforge export --exclude-sensitive # AWS Terraform tfvars format envforge export --format tfvars # Docker compose env_file format (quoted values) envforge export --format docker # Generate .env.example with placeholder values envforge export --env-example # Export safe version for AI tools envforge export --safe # Export only matching keys envforge export --filter "DB_*" ``` --- ## Schema & Validation ### envforge validate Validate ENV values against config rules and/or .env.schema. ``` Usage: envforge validate [OPTIONS] ``` | Flag | Description | |------|-------------| | `--schema ` | Path to .env.schema (auto-detected if omitted) | | `--env ` | Validate a specific .env file instead of EnvForge config | | `--environment ` | Environment name for schema overrides (e.g., production) | | `--rules ` | Additional validation rules as KEY=rule pairs (e.g., PORT=port, EMAIL=email) | **Examples:** ```bash # Validate current environment envforge validate # Validate against a specific schema envforge validate --schema ./custom.env.schema # Validate a specific .env file envforge validate --env .env.production # Validate with environment-specific overrides envforge validate --environment production # Validate with ad-hoc rules envforge validate --rules PORT=port --rules HOST=url ``` --- ### envforge schema generate Generate .env.schema from current environment variables. ``` Usage: envforge schema generate [OPTIONS] ``` | Flag | Description | |------|-------------| | `--output ` | Write output to file instead of stdout | **Examples:** ```bash # Generate schema to stdout envforge schema generate # Write schema to file envforge schema generate --output .env.schema ``` --- ### envforge schema json-schema Output JSON Schema for .env.schema format. ``` Usage: envforge schema json-schema [OPTIONS] ``` **Examples:** ```bash envforge schema json-schema envforge schema json-schema > env-schema.json ``` --- ### envforge schema emit-ai Generate AI-safe context file (names and types, no values). ``` Usage: envforge schema emit-ai [OPTIONS] ``` | Flag | Description | |------|-------------| | `--output ` | Output file path (default: stdout) | | `--infer` | Infer types from current env vars (when no .env.schema exists) | **Examples:** ```bash envforge schema emit-ai envforge schema emit-ai --output .env.ai-context envforge schema emit-ai --infer ``` --- ### envforge docs Generate documentation from .env.schema. ``` Usage: envforge docs [OPTIONS] ``` | Flag | Description | |------|-------------| | `--schema ` | Path to .env.schema (auto-detected if omitted) | | `--output ` | Write output to file instead of stdout | **Examples:** ```bash envforge docs envforge docs --output docs/env-vars.md envforge docs --schema .env.schema ``` --- ### envforge init Interactive environment setup from .env.schema. ``` Usage: envforge init [OPTIONS] ``` | Flag | Description | |------|-------------| | `--schema ` | Path to .env.schema (auto-detected if omitted) | | `--output ` | Output .env file path [default: .env] | **Examples:** ```bash envforge init envforge init --schema .env.schema --output .env.local ``` --- ### envforge drift Detect environment variable drift across .env files. ``` Usage: envforge drift [OPTIONS] --envs ... ``` | Flag | Description | |------|-------------| | `--schema ` | Path to .env.schema (auto-detected if omitted) | | `--environment ` | Environment name for schema overrides | | `--envs ...` | .env files to compare | **Examples:** ```bash envforge drift --envs .env.development .env.production envforge drift --envs .env .env.staging --schema .env.schema envforge drift --envs .env .env.prod --environment production ``` --- ## Runtime ### envforge run Run a command with EnvForge-managed environment variables. ``` Usage: envforge run [OPTIONS] -- ... ``` | Argument | Description | |----------|-------------| | `...` | Command and arguments to run (after `--`) | | Flag | Description | |------|-------------| | `--profile ` | Profile to use (default: active profile) | | `--profiles ` | Load and merge multiple profiles (comma-separated, last wins) | | `--resolve` | Resolve secret references (ref:provider:path) at runtime | | `--env-file ` | Load additional .env file(s) (can be repeated) | | `--override ` | Override a specific variable (KEY=VALUE, can be repeated) | | `--volatile` | AI-agent-safe mode: resolve secrets in memory only, skip .env disk files | | `--redact` | Redact known secret values in subprocess output | | `--no-project` | Skip project config auto-detection | **Examples:** ```bash # Run a command with environment variables envforge run -- node server.js # Use a specific profile envforge run --profile production -- npm start # Merge multiple profiles (last wins) envforge run --profiles base,staging -- ./deploy.sh # Resolve secret references at runtime envforge run --resolve -- python app.py # Override a variable for this run envforge run --override PORT=3001 -- npm start # AI-safe volatile mode (secrets never touch disk) envforge run --volatile --resolve -- ./my-agent.sh # Redact secrets from subprocess output envforge run --redact -- ./scripts/debug.sh # Combine env files with overrides envforge run --env-file .env.local --override DEBUG=true -- cargo test # Skip project config auto-detection envforge run --no-project -- npm start ``` --- ### envforge env Output environment variables as shell export statements (for `eval`). ``` Usage: envforge env [OPTIONS] ``` | Flag | Description | |------|-------------| | `--dir ` | Directory to load from (default: current) | **Examples:** ```bash eval "$(envforge env)" eval "$(envforge env --dir /path/to/project)" ``` --- ### envforge hook Generate shell hook for auto-loading environment variables. ``` Usage: envforge hook [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Shell type: `zsh`, `bash`, `fish` | **Examples:** ```bash # Add to .zshrc eval "$(envforge hook zsh)" # Add to .bashrc eval "$(envforge hook bash)" # Add to fish config envforge hook fish | source ``` --- ## Profiles ### envforge profile list List all profiles. ``` Usage: envforge profile list [OPTIONS] ``` **Examples:** ```bash envforge profile list envforge profile list --json ``` --- ### envforge profile switch Switch to a profile. ``` Usage: envforge profile switch [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Profile name | **Examples:** ```bash envforge profile switch staging envforge profile switch production --dry-run ``` --- ### envforge profile create Create a new profile. ``` Usage: envforge profile create [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Profile name | **Examples:** ```bash envforge profile create staging envforge profile create testing --dry-run ``` --- ### envforge profile delete Delete a profile. ``` Usage: envforge profile delete [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Profile name | **Examples:** ```bash envforge profile delete old-staging envforge profile delete temp --dry-run ``` --- ### envforge profile diff Compare environment variables between two profiles. ``` Usage: envforge profile diff [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | First profile name | | `` | Second profile name | **Examples:** ```bash envforge profile diff development production envforge profile diff staging prod --json ``` --- ## Project Management Project-scoped env management with multi-environment support, guided setup, and provider integration. Config file: `.envforge.project.{toml,yaml,json}`. ### envforge project init Initialize project-scoped env management. ``` Usage: envforge project init [OPTIONS] ``` | Flag | Description | |------|-------------| | `--format ` | Config format: `toml`, `yaml`, `json` [default: toml] | | `--force` | Force reinitialize (overwrite existing config) | **Examples:** ```bash envforge project init envforge project init --format yaml envforge project init --force ``` Creates `.envforge.project.toml` (or `.yaml`/`.json`), a default `.env.development` file, and adds `.env.*` patterns to `.gitignore`. --- ### envforge project wizard Interactive 3-step guided setup: init → schema → key-value entry. Resumable — skips already completed steps. ``` Usage: envforge project wizard [OPTIONS] ``` | Flag | Description | |------|-------------| | `--force` | Force re-run all steps | **Examples:** ```bash envforge project wizard envforge project wizard --force ``` **Steps:** 1. **Init** — Creates project config (detects existing `.env` and `.env.schema`) 2. **Schema** — Generates `.env.schema` from current `.env` file 3. **Values** — Interactive prompts for each schema key --- ### envforge project env create Create a new environment. ``` Usage: envforge project env create [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Environment name (lowercase alphanumeric + hyphens) | | Flag | Description | |------|-------------| | `--description ` | Optional description | **Examples:** ```bash envforge project env create staging envforge project env create production --description "Live production environment" ``` --- ### envforge project env list List all environments with active indicator. ``` Usage: envforge project env list ``` **Examples:** ```bash envforge project env list ``` --- ### envforge project env switch Switch active environment. ``` Usage: envforge project env switch ``` | Argument | Description | |----------|-------------| | `` | Environment name to activate | **Examples:** ```bash envforge project env switch production envforge project env switch staging ``` --- ### envforge project env delete Delete an environment. ``` Usage: envforge project env delete ``` | Argument | Description | |----------|-------------| | `` | Environment name to delete | **Examples:** ```bash envforge project env delete staging ``` --- ### envforge project env diff Compare two environments side-by-side. ``` Usage: envforge project env diff ``` | Argument | Description | |----------|-------------| | `` | First environment name | | `` | Second environment name | **Examples:** ```bash envforge project env diff development production envforge project env diff staging production ``` --- ### envforge project validate Validate project env against schema. ``` Usage: envforge project validate [OPTIONS] ``` | Flag | Description | |------|-------------| | `--environment ` | Validate a specific environment (default: active) | **Examples:** ```bash envforge project validate envforge project validate --environment production ``` --- ### envforge project scan Scan project for leaked secrets. ``` Usage: envforge project scan [OPTIONS] ``` | Flag | Description | |------|-------------| | `--staged` | Only scan git staged files | | `--mcp` | Scan MCP config files | **Examples:** ```bash envforge project scan envforge project scan --staged envforge project scan --mcp ``` --- ### envforge project schema generate Generate `.env.schema` from project env. ``` Usage: envforge project schema generate [OPTIONS] ``` | Flag | Description | |------|-------------| | `--output ` | Output file path (default: `.env.schema`) | **Examples:** ```bash envforge project schema generate envforge project schema generate --output custom-schema.toml ``` --- ### envforge project schema emit-ai Generate AI-safe context file (key names and types only, no values). ``` Usage: envforge project schema emit-ai [OPTIONS] ``` | Flag | Description | |------|-------------| | `--output ` | Output file path | | `--infer` | Infer types from current env vars | **Examples:** ```bash envforge project schema emit-ai envforge project schema emit-ai --infer --output ai-context.md ``` --- ### envforge project config Show or edit project configuration. ``` Usage: envforge project config [OPTIONS] ``` | Flag | Description | |------|-------------| | `--set ` | Set a config value | **Examples:** ```bash envforge project config envforge project config --set name=my-app envforge project config --set schema_path=.env.schema ``` --- ### envforge project status Show project health overview. ``` Usage: envforge project status ``` **Examples:** ```bash envforge project status ``` --- ### envforge project pull Pull secrets from provider into project env. ``` Usage: envforge project pull [OPTIONS] --from ``` | Flag | Description | |------|-------------| | `--from ` | Provider name (vault, aws-ssm, doppler, etc.) | | `--path ` | Secret path in the provider [default: ""] | | `--filter ` | Filter keys by glob pattern | | `--environment ` | Target specific environment (default: active) | **Examples:** ```bash envforge project pull --from vault --path secret/myapp envforge project pull --from doppler --environment production envforge project pull --from aws-ssm --path /myapp/ --filter "DB_*" ``` --- ### envforge project push Push project env to provider. ``` Usage: envforge project push [OPTIONS] --to ``` | Flag | Description | |------|-------------| | `--to ` | Provider name | | `--path ` | Secret path in the provider [default: ""] | | `--keys ` | Specific keys to push (comma-separated) | | `--all` | Push all keys | | `--filter ` | Filter keys by glob pattern | **Examples:** ```bash envforge project push --to vault --path secret/myapp --keys DATABASE_URL,API_KEY envforge project push --to doppler --all ``` --- ### envforge project fence Create AI ignore rules for project. ``` Usage: envforge project fence ``` **Examples:** ```bash envforge project fence ``` --- ### envforge project sanitize Sanitize file by replacing secret values found in project env. ``` Usage: envforge project sanitize [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | File to sanitize | | Flag | Description | |------|-------------| | `--output ` | Output file (default: stdout) | **Examples:** ```bash envforge project sanitize docker-compose.yml envforge project sanitize config.yaml --output config.sanitized.yaml ``` --- ### envforge project export Export project env. ``` Usage: envforge project export [OPTIONS] [PATH] ``` | Argument | Description | |----------|-------------| | `[PATH]` | Output file path (default: stdout) | | Flag | Description | |------|-------------| | `--safe` | Redact sensitive values | | `--format ` | Output format (dotenv, json, yaml, etc.) | | `--filter ` | Filter keys by glob pattern | **Examples:** ```bash envforge project export envforge project export --format json envforge project export --safe --format yaml envforge project export .env.export --filter "DB_*" ``` --- ## Encryption ### envforge encrypt Encrypt a variable's value. ``` Usage: envforge encrypt [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name | **Examples:** ```bash envforge encrypt DATABASE_PASSWORD envforge encrypt API_SECRET --dry-run ``` --- ### envforge decrypt Decrypt a variable's value. ``` Usage: envforge decrypt [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name | **Examples:** ```bash envforge decrypt DATABASE_PASSWORD envforge decrypt API_SECRET --json ``` --- ## Snapshots & Undo ### envforge snapshot create Create a snapshot of current environment variables. ``` Usage: envforge snapshot create [OPTIONS] [NAME] ``` | Argument | Description | |----------|-------------| | `[NAME]` | Snapshot name (default: auto-generated timestamp) | **Examples:** ```bash envforge snapshot create envforge snapshot create pre-deploy envforge snapshot create before-migration --dry-run ``` --- ### envforge snapshot list List all snapshots. ``` Usage: envforge snapshot list [OPTIONS] ``` **Examples:** ```bash envforge snapshot list envforge snapshot list --json ``` --- ### envforge snapshot restore Restore environment variables from a snapshot. ``` Usage: envforge snapshot restore [OPTIONS] [NAME] ``` | Argument | Description | |----------|-------------| | `[NAME]` | Snapshot name (substring match) | | Flag | Description | |------|-------------| | `--last` | Restore the most recent snapshot | **Examples:** ```bash envforge snapshot restore pre-deploy envforge snapshot restore --last envforge snapshot restore pre-deploy --dry-run ``` --- ### envforge snapshot diff Show diff between a snapshot and current environment. ``` Usage: envforge snapshot diff [OPTIONS] [NAME] ``` | Argument | Description | |----------|-------------| | `[NAME]` | Snapshot name (substring match) | | Flag | Description | |------|-------------| | `--last` | Diff against the most recent snapshot | **Examples:** ```bash envforge snapshot diff pre-deploy envforge snapshot diff --last ``` --- ### envforge snapshot delete Delete a snapshot. ``` Usage: envforge snapshot delete [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Snapshot name (substring match) | **Examples:** ```bash envforge snapshot delete pre-deploy envforge snapshot delete old-snapshot --dry-run ``` --- ### envforge undo Undo the last mutation using backup snapshots. ``` Usage: envforge undo [OPTIONS] ``` | Flag | Description | |------|-------------| | `--list` | List available undo snapshots | **Examples:** ```bash # List available undo points envforge undo --list # Undo the last mutation envforge undo # Preview undo envforge undo --dry-run ``` --- ## Backups ### envforge backup list List available backups. ``` Usage: envforge backup list [OPTIONS] ``` **Examples:** ```bash envforge backup list envforge backup list --json ``` --- ### envforge backup restore Restore from a backup file. ``` Usage: envforge backup restore [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Path to backup file | **Examples:** ```bash envforge backup restore ~/.envforge/backups/2025-01-01.toml envforge backup restore backup.toml --dry-run ``` --- ## Remote Sync ### envforge sync init Initialize sync repository. ``` Usage: envforge sync init [OPTIONS] ``` | Flag | Description | |------|-------------| | `--remote ` | Remote git URL to clone from | | `--machine-id ` | Custom machine ID | | `--force` | Force reinitialize (backup existing) | **Examples:** ```bash envforge sync init envforge sync init --remote git@github.com:myorg/env-sync.git envforge sync init --force --machine-id macbook-work ``` --- ### envforge sync push Push local changes to sync repository. ``` Usage: envforge sync push [OPTIONS] ``` | Flag | Description | |------|-------------| | `-m, --message ` | Custom commit message | **Examples:** ```bash envforge sync push envforge sync push -m "Updated API keys for Q2" envforge sync push --dry-run ``` --- ### envforge sync pull Pull remote changes to local. ``` Usage: envforge sync pull [OPTIONS] ``` **Examples:** ```bash envforge sync pull envforge sync pull --dry-run ``` --- ### envforge sync status Show sync status (local vs snapshot diff). ``` Usage: envforge sync status [OPTIONS] ``` **Examples:** ```bash envforge sync status envforge sync status --json ``` --- ### envforge sync mark Mark keys for sync or local-only. ``` Usage: envforge sync mark [OPTIONS] [KEY] ``` | Argument | Description | |----------|-------------| | `[KEY]` | Key name or glob pattern (optional when `--all` is used) | | Flag | Description | |------|-------------| | `--sync` | Mark as synced | | `--local` | Mark as local-only | | `--all` | Apply to all keys | **Examples:** ```bash envforge sync mark LOCAL_SECRET --local envforge sync mark --all --sync envforge sync mark "DEV_*" --local ``` --- ### envforge sync list-keys List keys with sync/local status. ``` Usage: envforge sync list-keys [OPTIONS] ``` **Examples:** ```bash envforge sync list-keys envforge sync list-keys --json ``` --- ### envforge sync override Set a machine-specific override. ``` Usage: envforge sync override [OPTIONS] [VALUE] ``` | Argument | Description | |----------|-------------| | `` | Key name | | `[VALUE]` | Value (omit to remove override) | | Flag | Description | |------|-------------| | `--remove` | Remove override | | `--list` | List all overrides | **Examples:** ```bash envforge sync override DATABASE_HOST localhost envforge sync override DATABASE_HOST --remove envforge sync override unused --list ``` --- ### envforge sync history Show sync history. ``` Usage: envforge sync history [OPTIONS] ``` | Flag | Description | |------|-------------| | `-n, --n ` | Number of entries [default: 10] | **Examples:** ```bash envforge sync history envforge sync history -n 20 envforge sync history --json ``` --- ### envforge sync rollback Rollback to a previous snapshot. ``` Usage: envforge sync rollback [OPTIONS] [COMMIT] ``` | Argument | Description | |----------|-------------| | `[COMMIT]` | Commit hash to rollback to | | Flag | Description | |------|-------------| | `--last` | Rollback to previous snapshot | **Examples:** ```bash envforge sync rollback --last envforge sync rollback abc1234 envforge sync rollback --last --dry-run ``` --- ### envforge sync log View sync operation log. ``` Usage: envforge sync log [OPTIONS] ``` | Flag | Description | |------|-------------| | `-n, --n ` | Number of entries [default: 10] | **Examples:** ```bash envforge sync log envforge sync log -n 25 ``` --- ### envforge sync machine Show machine info. ``` Usage: envforge sync machine [OPTIONS] ``` **Examples:** ```bash envforge sync machine envforge sync machine --json ``` --- ## Secret Managers ### envforge secrets pull Pull secrets from a provider. ``` Usage: envforge secrets pull [OPTIONS] --from ``` | Flag | Description | |------|-------------| | `--from ` | Provider name (vault, aws-ssm, 1password, doppler, infisical, gcp, azure, bitwarden, akeyless, conjur, sops, pass, keeper) | | `--path ` | Secret path in the provider [default: ""] | | `--filter ` | Filter keys by glob pattern | **Examples:** ```bash envforge secrets pull --from vault --path secret/myapp envforge secrets pull --from aws-ssm --path /myapp/ --filter "DB_*" envforge secrets pull --from 1password --path "My Vault" --dry-run ``` --- ### envforge secrets push Push secrets to a provider. ``` Usage: envforge secrets push [OPTIONS] --to ``` | Flag | Description | |------|-------------| | `--to ` | Provider name | | `--path ` | Secret path in the provider [default: ""] | | `--keys ` | Specific keys to push (comma-separated) | | `--all` | Push all keys | | `--filter ` | Filter keys by glob pattern | **Examples:** ```bash envforge secrets push --to vault --path secret/myapp --keys DATABASE_URL,API_KEY envforge secrets push --to doppler --all envforge secrets push --to aws-ssm --path /prod/ --filter "PROD_*" ``` --- ### envforge secrets ref Create a reference to a remote secret. ``` Usage: envforge secrets ref [OPTIONS] --from --path ``` | Argument | Description | |----------|-------------| | `` | ENV key name | | Flag | Description | |------|-------------| | `--from ` | Provider name | | `--path ` | Full path in the provider (including key name) | **Examples:** ```bash envforge secrets ref DATABASE_URL --from vault --path secret/myapp/db_url envforge secrets ref API_KEY --from aws-ssm --path /prod/api-key ``` --- ### envforge secrets unref Remove a reference (convert back to normal key). ``` Usage: envforge secrets unref [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | ENV key name | **Examples:** ```bash envforge secrets unref DATABASE_URL envforge secrets unref API_KEY --dry-run ``` --- ### envforge secrets resolve Resolve secret references. ``` Usage: envforge secrets resolve [OPTIONS] ``` | Flag | Description | |------|-------------| | `--key ` | Specific key to resolve (omit for all) | **Examples:** ```bash envforge secrets resolve envforge secrets resolve --key DATABASE_URL ``` --- ### envforge secrets config Configure provider credentials. ``` Usage: envforge secrets config [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Provider name | | Flag | Description | |------|-------------| | `--set ` | Set a credential value (key=value format) | | `--show` | Show stored credentials | | `--remove` | Remove all credentials for this provider | | `--ttl ` | Set TTL for the credential (e.g., "8h", "24h", "7d", "30d"). Used with --set | **Examples:** ```bash envforge secrets config vault --set addr=https://vault.example.com envforge secrets config vault --set token=hvs.abc123 --ttl 8h envforge secrets config vault --show envforge secrets config doppler --remove ``` --- ### envforge secrets providers List available providers and their status. ``` Usage: envforge secrets providers [OPTIONS] ``` **Examples:** ```bash envforge secrets providers envforge secrets providers --json ``` --- ### envforge secrets status Show which keys come from which provider. ``` Usage: envforge secrets status [OPTIONS] ``` **Examples:** ```bash envforge secrets status envforge secrets status --json ``` --- ### envforge secrets age Show age of tracked secrets, flag stale ones. ``` Usage: envforge secrets age [OPTIONS] ``` | Flag | Description | |------|-------------| | `--threshold ` | Stale threshold in days [default: 90] | | `--stale-only` | Only show stale secrets | **Examples:** ```bash envforge secrets age envforge secrets age --threshold 30 envforge secrets age --stale-only ``` --- ### envforge secrets diff Compare local ENV vars vs provider state. ``` Usage: envforge secrets diff [OPTIONS] --from ``` | Flag | Description | |------|-------------| | `--from ` | Provider name | | `--path ` | Secret path in the provider [default: ""] | | `--filter ` | Filter keys by glob pattern | **Examples:** ```bash envforge secrets diff --from vault --path secret/myapp envforge secrets diff --from aws-ssm --path /prod/ --filter "API_*" ``` --- ### envforge secrets cache list List all cached secrets. ``` Usage: envforge secrets cache list [OPTIONS] ``` **Examples:** ```bash envforge secrets cache list envforge secrets cache list --json ``` --- ### envforge secrets cache clear Clear cache. ``` Usage: envforge secrets cache clear [OPTIONS] ``` | Flag | Description | |------|-------------| | `--provider ` | Only clear cache for a specific provider | **Examples:** ```bash envforge secrets cache clear envforge secrets cache clear --provider vault ``` --- ### envforge rotate Rotate a secret: update value, reset age, optionally push to provider and sync. ``` Usage: envforge rotate [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Variable name to rotate | | Flag | Description | |------|-------------| | `--dry-run` | Preview rotation without making changes | | `--stale` | Rotate all stale secrets interactively | | `--propagate` | Auto-push to provider and sync after rotation (no interactive prompts) | **Examples:** ```bash envforge rotate API_KEY envforge rotate DATABASE_PASSWORD --dry-run envforge rotate unused --stale envforge rotate STRIPE_KEY --propagate ``` --- ### envforge resolve-uri Resolve secret URIs in a config file (vault://path, aws-ssm://path, etc.). ``` Usage: envforge resolve-uri [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Path to file with secret URIs | | Flag | Description | |------|-------------| | `--env` | Output as .env format (default: export statements) | | `--output ` | Output file (default: stdout) | **Examples:** ```bash envforge resolve-uri config/secrets.yml envforge resolve-uri config/secrets.yml --env envforge resolve-uri config/secrets.yml --output .env.resolved ``` --- ### Provider Quick Reference | Provider | Name | Binary | Required Fields | Path Used? | |----------|------|--------|-----------------|------------| | HashiCorp Vault | `vault` | `vault` | `addr` | Yes — KV mount path | | AWS SSM | `aws-ssm` | `aws` | _(none)_ | Yes — parameter path prefix | | 1Password | `1password` | `op` | `service_account_token` | Yes — item name or UUID | | Doppler | `doppler` | `doppler` | `token`, `project`, `config` | No — ignored | | Infisical | `infisical` | `infisical` | `token`, `project_id`, `environment` | No — ignored | | GCP Secret Manager | `gcp` | `gcloud` | `project_id` | No — ignored | | Azure Key Vault | `azure` | `az` | `vault_name` | No — ignored | | Bitwarden | `bitwarden` | `bws` | `access_token` | No — ignored | | Akeyless | `akeyless` | `akeyless` | `access_id`, `access_key` | Yes — item path prefix | | CyberArk Conjur | `conjur` | `conjur` | `url`, `account`, `login`, `api_key` | Yes — variable path prefix | | Mozilla SOPS | `sops` | `sops` | `key_file` | Yes — encrypted file path | | pass/gopass | `pass` | `pass`/`gopass` | _(none)_ | Yes — entry prefix filter | | Keeper | `keeper` | `ksm` | _(none)_ | No — ignored | --- ## Secret Sharing ### envforge share create Create an encrypted share file. ``` Usage: envforge share create [OPTIONS] --recipient ``` | Flag | Description | |------|-------------| | `--recipient ` | Recipient's age public key (age1...) | | `--keys ` | Specific keys to share (comma-separated) | | `--all` | Share all keys | | `--filter ` | Filter by pattern | | `--output ` | Output file path [default: envforge-share.age] | | `--expire ` | Expiry in hours | **Examples:** ```bash envforge share create --recipient age1abc... --keys API_KEY,DB_URL envforge share create --recipient age1abc... --all --expire 24 envforge share create --recipient age1abc... --filter "PROD_*" --output prod-secrets.age ``` --- ### envforge share receive Receive and import a share file. ``` Usage: envforge share receive [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Path to share file | | Flag | Description | |------|-------------| | `--import` | Import keys into EnvForge config | **Examples:** ```bash envforge share receive envforge-share.age envforge share receive prod-secrets.age --import ``` --- ## Security Scanning ### envforge scan Scan files for leaked secrets. ``` Usage: envforge scan [OPTIONS] [PATH] ``` | Argument | Description | |----------|-------------| | `[PATH]` | Path to scan (default: current directory) | | Flag | Description | |------|-------------| | `--staged` | Only scan git staged files | | `--install-hook` | Install git pre-commit hook that runs `envforge scan --staged` | | `--remove-hook` | Remove the envforge pre-commit hook | | `--mcp` | Scan MCP config files for hardcoded credentials | **Examples:** ```bash envforge scan envforge scan ./src envforge scan --staged envforge scan --install-hook envforge scan --mcp ``` --- ### envforge mcp status Check if any MCP config files contain plaintext secrets. ``` Usage: envforge mcp status [OPTIONS] ``` **Examples:** ```bash envforge mcp status envforge mcp status --json ``` --- ### envforge mcp harden Replace plaintext secrets with ${VAR} env var references (backs up originals). ``` Usage: envforge mcp harden [OPTIONS] ``` **Examples:** ```bash envforge mcp harden envforge mcp harden --dry-run ``` --- ## AI Safety ### envforge fence Create AI tool ignore rules for all supported tools (Cursor, Copilot, Claude Code), or check status. ``` Usage: envforge fence [OPTIONS] ``` | Flag | Description | |------|-------------| | `--status` | Check if all ignore rules are correctly installed | **Examples:** ```bash envforge fence envforge fence --status envforge fence --dry-run ``` --- ### envforge sanitize Sanitize a file by replacing secret values with ${KEY} placeholders. ``` Usage: envforge sanitize [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | File to sanitize | | Flag | Description | |------|-------------| | `--output ` | Output file (default: stdout) | **Examples:** ```bash envforge sanitize config.json envforge sanitize docker-compose.yml --output docker-compose.sanitized.yml envforge sanitize .env --dry-run ``` --- ### envforge ai-hook install Install hooks for an AI coding tool. ``` Usage: envforge ai-hook install [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Tool name: `claude-code`, `cursor` | **Examples:** ```bash envforge ai-hook install claude-code envforge ai-hook install cursor ``` --- ### envforge ai-hook remove Remove hooks from an AI coding tool. ``` Usage: envforge ai-hook remove [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Tool name: `claude-code`, `cursor` | **Examples:** ```bash envforge ai-hook remove claude-code envforge ai-hook remove cursor ``` --- ### envforge ai-hook status Check if AI tool hooks are installed. ``` Usage: envforge ai-hook status [OPTIONS] ``` **Examples:** ```bash envforge ai-hook status envforge ai-hook status --json ``` --- ### envforge ai-guard AI agent guard — invoked by AI tool hooks (not for direct use). ``` Usage: envforge ai-guard [OPTIONS] [TOOL_INPUT] ``` | Argument | Description | |----------|-------------| | `` | Hook stage: `pre-tool`, `post-tool` | | `` | Tool name | | `[TOOL_INPUT]` | Tool input (JSON string or path) | **Examples:** ```bash envforge ai-guard pre-tool Write '{"file_path": ".env"}' envforge ai-guard post-tool Read '{"file_path": "config.json"}' ``` --- ### envforge proxy Start local credential proxy for AI agents. ``` Usage: envforge proxy [OPTIONS] ``` | Flag | Description | |------|-------------| | `--port ` | Port to listen on [default: 8100] | | `--keys ` | Only serve these keys (comma-separated) | | `--profile ` | Profile to use | | `--allow-origins ` | Allowed origins (comma-separated, default: localhost only) | | `--require-lease` | Require active lease for access | | `--require-approval` | Require human approval for each secret access | **Examples:** ```bash envforge proxy envforge proxy --keys API_KEY,DATABASE_URL --port 9000 envforge proxy --require-lease --require-approval envforge proxy --allow-origins "http://localhost:3000,http://localhost:8080" ``` --- ### envforge lease create Create a new time-bounded secret access lease. ``` Usage: envforge lease create [OPTIONS] --ttl ``` | Flag | Description | |------|-------------| | `--name ` | Lease name (default: auto-generated) | | `--ttl ` | Time-to-live (e.g., "1h", "30m", "8h", "24h", "7d") | | `--keys ` | Restrict to specific keys (comma-separated) | **Examples:** ```bash envforge lease create --ttl 1h envforge lease create --name deploy-lease --ttl 30m --keys API_KEY,SECRET envforge lease create --ttl 7d ``` --- ### envforge lease list List all leases. ``` Usage: envforge lease list [OPTIONS] ``` **Examples:** ```bash envforge lease list envforge lease list --json ``` --- ### envforge lease cleanup Clean up expired leases. ``` Usage: envforge lease cleanup [OPTIONS] ``` **Examples:** ```bash envforge lease cleanup envforge lease cleanup --dry-run ``` --- ### envforge session start Start a new AI tool session with scoped secret access. ``` Usage: envforge session start [OPTIONS] ``` | Flag | Description | |------|-------------| | `--tool ` | AI tool type: `claude-code`, `cursor`, `copilot` (auto-detected if omitted) | | `--ttl ` | Session TTL (e.g., "1h", "30m", "8h", "1d") [default: 1h] | **Examples:** ```bash envforge session start envforge session start --tool claude-code envforge session start --tool cursor --ttl 30m ``` --- ### envforge session stop Stop (expire) a session. ``` Usage: envforge session stop [OPTIONS] [ID] ``` | Argument | Description | |----------|-------------| | `[ID]` | Session ID to stop (current session if omitted) | **Examples:** ```bash envforge session stop envforge session stop 246f86ae-8b41-48bb-b9f7-0da491594b23 ``` --- ### envforge session list List active and expired sessions. ``` Usage: envforge session list [OPTIONS] ``` **Examples:** ```bash envforge session list envforge session list --json ``` --- ### envforge session show Show details for a specific session. ``` Usage: envforge session show [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Session ID | **Examples:** ```bash envforge session show 246f86ae-8b41-48bb-b9f7-0da491594b23 envforge session show 246f86ae-8b41-48bb-b9f7-0da491594b23 --json ``` --- ### envforge session cleanup Clean up expired sessions. ``` Usage: envforge session cleanup [OPTIONS] ``` **Examples:** ```bash envforge session cleanup envforge session cleanup --dry-run ``` --- ### envforge revoke Emergency revoke all secret access. ``` Usage: envforge revoke [OPTIONS] [NAME] ``` | Argument | Description | |----------|-------------| | `[NAME]` | Specific lease name to revoke | | Flag | Description | |------|-------------| | `--all` | Revoke all active leases (killswitch) | **Examples:** ```bash envforge revoke deploy-lease envforge revoke --all envforge revoke --all --dry-run ``` --- ## Canary Tokens ### envforge canary create Create a canary secret (honeypot credential for exfiltration detection). ``` Usage: envforge canary create [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Key name (e.g., AWS_SECRET_KEY) | | Flag | Description | |------|-------------| | `--pattern ` | Pattern: `aws_key`, `github_token`, `stripe_key`, `slack_token`, `gitlab_token`, `generic` [default: generic] | **Examples:** ```bash envforge canary create HONEYPOT_API_KEY envforge canary create AWS_SECRET_ACCESS_KEY --pattern aws_key envforge canary create GITHUB_TOKEN --pattern github_token ``` --- ### envforge canary list List all canary secrets. ``` Usage: envforge canary list [OPTIONS] ``` **Examples:** ```bash envforge canary list envforge canary list --json ``` --- ### envforge canary check Check for triggered canaries. ``` Usage: envforge canary check [OPTIONS] ``` **Examples:** ```bash envforge canary check envforge canary check --json ``` --- ### envforge canary delete Delete a canary. ``` Usage: envforge canary delete [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Canary key name | **Examples:** ```bash envforge canary delete HONEYPOT_API_KEY envforge canary delete OLD_CANARY --dry-run ``` --- ### envforge canary rotate Rotate canary values (regenerate fake values). ``` Usage: envforge canary rotate [OPTIONS] ``` | Flag | Description | |------|-------------| | `--all` | Rotate all eligible canaries | | `--key ` | Rotate a specific canary by key | | `--dry-run` | Show what would be rotated without making changes | **Examples:** ```bash envforge canary rotate --key HONEYPOT_API_KEY envforge canary rotate --all envforge canary rotate --all --dry-run ``` --- ### envforge canary place Place a canary line into a file. ``` Usage: envforge canary place [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Canary key | | `` | Target file path | | Flag | Description | |------|-------------| | `--position ` | Position: `top`, `middle`, `bottom`, `random` [default: bottom] | **Examples:** ```bash envforge canary place HONEYPOT_API_KEY ./src/config.ts envforge canary place AWS_SECRET ./src/index.ts --position top ``` --- ## Adversarial Hardening ### envforge hardening show Show current hardening configuration. ``` Usage: envforge hardening show [OPTIONS] ``` **Examples:** ```bash envforge hardening show ``` --- ### envforge hardening enable Enable a hardening layer. ``` Usage: envforge hardening enable [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Layer name: `control_chars`, `base64_decode`, `split_strings`, `encoding_chain` | **Examples:** ```bash envforge hardening enable control_chars envforge hardening enable base64_decode ``` --- ### envforge hardening disable Disable a hardening layer. ``` Usage: envforge hardening disable [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Layer name: `control_chars`, `base64_decode`, `split_strings`, `encoding_chain` | **Examples:** ```bash envforge hardening disable control_chars envforge hardening disable encoding_chain ``` --- ### envforge scanner list List configured external scanners. ``` Usage: envforge scanner list [OPTIONS] ``` **Examples:** ```bash envforge scanner list ``` --- ### envforge scanner test Test a scanner with sample content. ``` Usage: envforge scanner test [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Scanner name | **Examples:** ```bash envforge scanner test trufflehog ``` --- ### envforge scanner run Run a scanner against arbitrary content. ``` Usage: envforge scanner run [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Scanner name | | `` | Content to scan | **Examples:** ```bash envforge scanner run trufflehog "sk-abc123def456" ``` --- ### envforge scanner enable Enable a scanner. ``` Usage: envforge scanner enable [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Scanner name | **Examples:** ```bash envforge scanner enable trufflehog ``` --- ### envforge scanner disable Disable a scanner. ``` Usage: envforge scanner disable [OPTIONS] ``` | Argument | Description | |----------|-------------| | `` | Scanner name | **Examples:** ```bash envforge scanner disable trufflehog ``` --- ## Audit & Diagnostics ### envforge audit View change audit trail from sync history. ``` Usage: envforge audit [OPTIONS] ``` | Flag | Description | |------|-------------| | `--key ` | Filter by key name | | `--since ` | Filter changes since date (ISO 8601) | | `--machine ` | Filter by machine ID | | `-n, --n ` | Number of entries to show [default: 50] | | `--ai-leaks` | Scan git history for secrets leaked in AI-assisted commits | | `--access` | Show proxy access audit log | **Examples:** ```bash envforge audit envforge audit --key DATABASE_URL envforge audit --since 2025-01-01 envforge audit --ai-leaks envforge audit --access envforge audit --machine macbook-work -n 20 ``` --- ### envforge audit-trail query Query audit events with filters. ``` Usage: envforge audit-trail query [OPTIONS] ``` | Flag | Description | |------|-------------| | `--event-type ` | Filter by event type | | `--source ` | Filter by source | | `--secret-key ` | Filter by secret key | | `--time