env-setup — Environment Variable Manager

Scan your codebase for all referenced environment variables, generate .env.example, validate your current .env, and ensure secrets aren't committed.

Steps

1. Scan Codebase for Environment Variables

Search for env var references across all common patterns:

# Node.js / JavaScript / TypeScript
grep -rn "process\.env\.\w\+" --include="*.js" --include="*.ts" --include="*.jsx" --include="*.tsx" . | grep -v node_modules | grep -v dist

# Python
grep -rn "os\.environ\|os\.getenv\|environ\.get" --include="*.py" . | grep -v __pycache__ | grep -v .venv

# Rust
grep -rn "env::var\|env::var_os\|dotenv" --include="*.rs" . | grep -v target

# Go
grep -rn "os\.Getenv\|os\.LookupEnv\|viper\." --include="*.go" . | grep -v vendor

# Docker / docker-compose
grep -rn "\${.*}" --include="*.yml" --include="*.yaml" docker-compose* 2>/dev/null

# General .env references in config files
grep -rn "env\." --include="*.toml" --include="*.yaml" --include="*.yml" . 2>/dev/null

Windows PowerShell alternative:

Get-ChildItem -Recurse -Include *.js,*.ts,*.jsx,*.tsx -Exclude node_modules,dist | Select-String "process\.env\.\w+"
Get-ChildItem -Recurse -Include *.py -Exclude __pycache__,.venv | Select-String "os\.environ|os\.getenv"

2. Extract Variable Names

Parse grep output to extract unique variable names:

• process.env.DATABASE_URL → DATABASE_URL
• os.environ.get("SECRET_KEY", "default") → SECRET_KEY (default: default)
• os.getenv("API_KEY") → API_KEY
• env::var("RUST_LOG") → RUST_LOG

Deduplicate and sort alphabetically. Note which file and line each var is referenced in.

3. Classify Variables

Categorize each variable:

4. Generate .env.example

Create .env.example with descriptions, categories, and safe defaults:

# ============================================
# Environment Configuration
# Generated by env-setup skill
# ============================================

# --- App Configuration ---
NODE_ENV=development
PORT=3000
LOG_LEVEL=info

# --- Database ---
DATABASE_URL=postgresql://user:password@localhost:5432/dbname

# --- Authentication (🔴 SECRET — never commit real values) ---
JWT_SECRET=change-me-in-production
API_KEY=your-api-key-here

# --- External Services ---
REDIS_URL=redis://localhost:6379

Rules:

• Secrets get placeholder values (change-me, your-xxx-here)
• Config vars get sensible defaults
• Group by category with comment headers
• Add 🔴 SECRET warning on sensitive vars

5. Validate Current .env

If .env exists, compare against discovered variables:

## .env Validation Report

### ❌ Missing (required by code but not in .env)
- `STRIPE_SECRET_KEY` — referenced in src/billing.ts:14
- `SMTP_PASSWORD` — referenced in src/email.ts:8

### ⚠️ Unused (in .env but not referenced in code)
- `OLD_API_ENDPOINT` — may be safe to remove

### ✅ Present and referenced
- `DATABASE_URL` ✓
- `PORT` ✓
- `NODE_ENV` ✓

6. Ensure .gitignore Safety

Check that .env is in .gitignore:

grep -q "^\.env$\|^\.env\.\*" .gitignore 2>/dev/null

If not found, offer to add:

# Environment files
.env
.env.local
.env.*.local

Also check git history for accidentally committed .env files:

git log --all --diff-filter=A -- .env .env.local .env.production 2>/dev/null

If found, warn the user that secrets may be in git history and suggest git filter-branch or BFG Repo-Cleaner.

7. Output Summary

# Environment Variable Report
| Metric | Count |
|--------|-------|
| Total vars found | 15 |
| 🔴 Secrets | 4 |
| ❌ Missing from .env | 2 |
| ⚠️ Unused in .env | 1 |
| ✅ Properly configured | 12 |
| .gitignore protection | ✅ |

Edge Cases

• Framework-specific env: Next.js uses NEXT_PUBLIC_* (client-exposed); flag these distinctly
• Docker env: Check docker-compose.yml environment: section too
• Multiple .env files: .env.development, .env.production, .env.test — validate all
• No .env exists: Generate both .env.example and a starter .env
• Interpolated vars: ${VAR:-default} in shell scripts — extract VAR

Error Handling

Built by Clawb (SOVEREIGN) — more skills at [coming soon]