Environment Variable Manager (env-manager)

Comprehensive environment variable validation, security scanning, and management for modern web applications.

Overview

The env-manager skill provides systematic environment variable management across local development, CI/CD pipelines, and deployment platforms. It prevents common issues like missing variables, exposed secrets, and framework-specific configuration errors.

Key Features:

Framework-Aware Validation: Next.js, Vite, React, Node.js, Flask support
Security-First: Never logs secrets, detects exposed credentials
Platform Integration: Ready for Vercel, Railway, Heroku, and CI/CD
Fast: Validates 1000 variables in 0.025s (80x faster than 2s target)
Zero Dependencies: Pure Python, works anywhere

Why Use env-manager?

Common problems this solves:

"Works on my machine, but not in production" (missing env vars)
Accidentally exposing API keys in client-side code (NEXT_PUBLIC_ with secrets)
Missing required variables during deployment
Inconsistent .env files across team members
No documentation of required environment variables
Security vulnerabilities from exposed secrets

Quick Start

Installation

No installation needed! env-manager is a bundled skill in Claude MPM.

Requirements:

Python 3.7+
No external dependencies

5-Minute Quick Start

1. Validate your .env file

python3 scripts/validate_env.py .env

2. Check for framework-specific issues (Next.js example)

python3 scripts/validate_env.py .env --framework nextjs

3. Compare with .env.example to find missing vars

python3 scripts/validate_env.py .env --compare-with .env.example

4. Generate .env.example for documentation

python3 scripts/validate_env.py .env --generate-example .env.example

5. Get JSON output for CI/CD integration

python3 scripts/validate_env.py .env --json

That's it! Environment variables are now validated professionally.

Usage Examples

Basic Validation

Validate a .env file for structural issues:

python3 scripts/validate_env.py .env

What it checks:

Valid key=value format
No duplicate keys
Proper naming conventions (UPPERCASE_WITH_UNDERSCORES)
No empty values (unless explicitly allowed)
Proper quoting for values with spaces

Example output:

✅ Validation successful!

15 variables validated
0 errors
0 warnings

Framework-Specific Validation

Next.js

Validate Next.js environment variables:

python3 scripts/validate_env.py .env.local --framework nextjs

Next.js-specific checks:

NEXT_PUBLIC_* variables are client-exposed (warns if secrets detected)
.env.local, .env.production, .env file hierarchy
Detects secrets in client-side variables

Example:

.env.local

NEXT_PUBLIC_API_URL=https://api.example.com NEXT_PUBLIC_API_KEY=secret123 # ⚠️ WARNING: Secret in client-exposed variable! DATABASE_URL=postgresql://... # ✅ Server-side only

Vite

python3 scripts/validate_env.py .env --framework vite

Vite-specific checks:

VITE_* variables are client-exposed
Warns if secrets detected in VITE_ prefixed vars

React (Create React App)

python3 scripts/validate_env.py .env --framework react

React-specific checks:

REACT_APP_* variables are client-exposed
Warns if secrets in REACT_APP_ prefixed vars

Node.js/Express

python3 scripts/validate_env.py .env --framework nodejs

Node.js-specific checks:

Common NODE_ENV, PORT, DATABASE_URL patterns
Standard Node.js conventions

Flask/Python

python3 scripts/validate_env.py .env --framework flask

Flask-specific checks:

FLASK_APP, FLASK_ENV variables
SQLAlchemy DATABASE_URL format

Comparing with .env.example

Ensure your .env has all required variables:

python3 scripts/validate_env.py .env --compare-with .env.example

What it checks:

All variables in .env.example exist in .env
No extra undocumented variables in .env

Example output:

❌ Missing variables:

DATABASE_URL (required in .env.example)
STRIPE_SECRET_KEY (required in .env.example)

⚠️ Extra variables not in .env.example:

DEBUG_MODE (consider adding to .env.example)

Perfect for:

Onboarding new team members
CI/CD validation
Deployment pre-checks

Generating .env.example

Create documentation for your environment variables:

python3 scripts/validate_env.py .env --generate-example .env.example

What it does:

Reads your .env file
Sanitizes secret values (replaces with placeholders)
Generates .env.example with safe defaults

Example:

Input: .env

DATABASE_URL=postgresql://user:pass@localhost/db # pragma: allowlist secret STRIPE_SECRET_KEY=sk_live_abc123xyz NEXT_PUBLIC_API_URL=https://api.example.com

Output: .env.example

DATABASE_URL=postgresql://user:password@localhost/dbname # pragma: allowlist secret STRIPE_SECRET_KEY=your_stripe_secret_key_here NEXT_PUBLIC_API_URL=https://api.example.com

Security note: env-manager detects common secret patterns and replaces them with safe placeholders.

CI/CD Integration

Get machine-readable JSON output for automated workflows:

python3 scripts/validate_env.py .env.example --strict --json

JSON output format:

{ "valid": true, "errors": [], "warnings": [], "stats": { "total_vars": 15, "errors": 0, "warnings": 0 } }

Exit codes:

0 : Validation passed
1 : Validation errors found
2 : Missing required file
3 : Warnings found (only in --strict mode)

GitHub Actions example:

name: Validate Environment Variables

on: [push, pull_request]

jobs: validate-env: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3

  - name: Validate .env.example
    run: |
      python3 scripts/validate_env.py .env.example --strict --json
    working-directory: ./path/to/skill

  - name: Check for framework-specific issues
    run: |
      python3 scripts/validate_env.py .env.example --framework nextjs --json
    working-directory: ./path/to/skill

Strict Mode

Treat warnings as errors (useful for CI/CD):

python3 scripts/validate_env.py .env --strict

When to use:

Pre-deployment validation
CI/CD pipelines
Release gates
Team standard enforcement

Quiet Mode

Show only errors, suppress warnings:

python3 scripts/validate_env.py .env --quiet

When to use:

You've already reviewed warnings
Automated scripts that only care about errors
Noisy environments where warnings are distracting

Supported Frameworks

Framework Prefix Client-Exposed Notes

Next.js NEXT_PUBLIC_*

Yes Auto-exposed in browser

Vite VITE_*

Yes Bundled into client code

React (CRA) REACT_APP_*

Yes Embedded in production build

Node.js N/A No Server-side only

Flask N/A No Server-side only

Security warning: Never put secrets in client-exposed variables (NEXT_PUBLIC_, VITE_, REACT_APP_). env-manager will warn you if it detects common secret patterns.

CLI Reference

Command Structure

python3 scripts/validate_env.py <file> [options]

Options

Option Description Example

--compare-with FILE

Compare with .env.example --compare-with .env.example

--framework {nextjs|vite|react|nodejs|flask|generic}

Framework-specific validation --framework nextjs

--strict

Treat warnings as errors --strict

--json

JSON output for automation --json

--quiet

Only show errors --quiet

--generate-example OUTPUT

Generate .env.example --generate-example .env.example

Exit Codes

Code Meaning When

Success No errors (warnings OK unless --strict)

Validation errors Structural issues, duplicates, etc.

File not found Specified .env file doesn't exist

Warnings in strict mode Warnings exist and --strict enabled

Common Use Cases

Scenario 1: New Developer Onboarding

New developer clones repo

git clone <repo> cd <project>

Copy example and fill in values

cp .env.example .env

Edit .env with actual values...

Validate setup

python3 scripts/validate_env.py .env --compare-with .env.example

If missing variables, fix them

Validation passes ✅

Scenario 2: Pre-Deployment Check

Before deploying to Vercel/Railway/Heroku

python3 scripts/validate_env.py .env.production --framework nextjs --strict

Fix any errors

Deploy with confidence ✅

Scenario 3: Security Audit

Check for accidentally exposed secrets

python3 scripts/validate_env.py .env.local --framework nextjs

Look for warnings like:

⚠️ NEXT_PUBLIC_STRIPE_SECRET: Contains potential secret in client-exposed variable

Scenario 4: Team Documentation

After adding new environment variable

echo "NEW_API_KEY=abc123" >> .env

Regenerate .env.example

python3 scripts/validate_env.py .env --generate-example .env.example

Commit updated .env.example

git add .env.example git commit -m "docs: add NEW_API_KEY to environment variables"

Scenario 5: CI/CD Quality Gate

In your CI pipeline

name: Validate environment configuration run: | python3 scripts/validate_env.py .env.example --strict --json > validation.json

Fail pipeline if validation fails

if [ $? -ne 0 ]; then cat validation.json exit 1 fi

Performance

env-manager is designed for speed:

Benchmarks:

Validates 1000 variables in 0.025s
80x faster than 2s target
Zero external dependencies
Minimal memory footprint

Why it matters:

Fast feedback during development
No CI/CD slowdown
Works in resource-constrained environments

Security Notes

Critical security features:

Never Logs Secrets: env-manager NEVER displays actual secret values in output
Client-Exposure Detection: Warns when secrets are in NEXT_PUBLIC_, VITE_, REACT_APP_ variables
Secret Sanitization: When generating .env.example, replaces secrets with safe placeholders
No Network Calls: All validation is local, no data leaves your machine

Security-audited: This skill has undergone security review. See references/security.md for details.

Best practices:

Never commit .env files with secrets
Always use .env.example for documentation
Use platform secret managers (Vercel, Railway, etc.) for production
Validate before every deployment
Run security scan regularly

DATABASE_URL= # Optional, uses SQLite if not set

✅ Better

DATABASE_URL=postgresql://localhost/mydb

File not found error

Cause: Specified .env file doesn't exist

Fix:

Check file exists

ls -la .env

Or create it

touch .env

Troubleshooting

Validation passes locally but fails in CI

Check:

Line endings (CRLF vs LF)
File encoding (UTF-8 expected)
File permissions
Python version (3.7+ required)

Warnings about client-exposed variables

This is intentional! env-manager is warning you that variables like NEXT_PUBLIC_API_KEY will be visible in the browser.

Options:

Move secret to server-side variable (remove NEXT_PUBLIC_ prefix)
Use public/publishable keys only in client-exposed variables
If truly not a secret, ignore the warning

.env.example generation replaces too much

env-manager is conservative about secrets. If it over-sanitizes:

Manually edit .env.example after generation
Use specific placeholder values in .env that won't trigger sanitization

Advanced Usage

Custom Validation Patterns

See references/validation.md for advanced validation patterns.

Platform-Specific Deployment

See references/synchronization.md for Vercel, Railway, Heroku integration patterns.

Framework-Specific Guides

See references/frameworks.md for comprehensive framework guides.

env-manager

Safety Notice

Copy this and send it to your AI assistant to learn

1. Validate your .env file

2. Check for framework-specific issues (Next.js example)

3. Compare with .env.example to find missing vars

4. Generate .env.example for documentation

5. Get JSON output for CI/CD integration

.env.local

Input: .env

Output: .env.example

New developer clones repo

Copy example and fill in values

Edit .env with actual values...

Validate setup

If missing variables, fix them

Validation passes ✅

Before deploying to Vercel/Railway/Heroku

Fix any errors

Deploy with confidence ✅

Check for accidentally exposed secrets

Look for warnings like:

⚠️ NEXT_PUBLIC_STRIPE_SECRET: Contains potential secret in client-exposed variable

After adding new environment variable

Regenerate .env.example

Commit updated .env.example

In your CI pipeline

Fail pipeline if validation fails

❌ Bad

✅ Good

❌ Bad

✅ Good

❌ Bad

✅ Good

❌ Bad (secret exposed to client!)

✅ Good (server-side only)

❌ Bad

✅ Good (if optional, document it)

✅ Better

Check file exists

Or create it

Source Transparency

Related Skills

drizzle-orm

pydantic

playwright-e2e-testing

tailwind-css