{"id":47697157,"url":"https://github.com/labrynx/envctl","last_synced_at":"2026-04-14T13:01:35.886Z","repository":{"id":347531135,"uuid":"1194106323","full_name":"labrynx/envctl","owner":"labrynx","description":"Your .env files, local-first and under your control.","archived":false,"fork":false,"pushed_at":"2026-04-13T04:56:45.000Z","size":9598,"stargazers_count":1,"open_issues_count":4,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T06:25:26.076Z","etag":null,"topics":["cli","config-management","configuration","developer-tools","devops","dotenv","env","environment","environment-management","local-first","python","symlink","typer"],"latest_commit_sha":null,"homepage":"https://labrynx.github.io/envctl/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/labrynx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-27T23:36:27.000Z","updated_at":"2026-04-13T04:40:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/labrynx/envctl","commit_stats":null,"previous_names":["alessbarb/envctl","labrynx/envctl"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/labrynx/envctl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/labrynx%2Fenvctl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/labrynx%2Fenvctl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/labrynx%2Fenvctl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/labrynx%2Fenvctl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/labrynx","download_url":"https://codeload.github.com/labrynx/envctl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/labrynx%2Fenvctl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31797376,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T11:13:53.975Z","status":"ssl_error","status_checked_at":"2026-04-14T11:13:53.299Z","response_time":153,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","config-management","configuration","developer-tools","devops","dotenv","env","environment","environment-management","local-first","python","symlink","typer"],"created_at":"2026-04-02T16:32:25.867Z","updated_at":"2026-04-14T13:01:35.881Z","avatar_url":"https://github.com/labrynx.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"![envctl](docs/assets/images/social/envctl-banner.png)\n\n**Your `.env.local` works... until it doesn't.**\n\nDifferent machines behave differently.\u003cbr\u003e\nOnboarding breaks.\u003cbr\u003e\nCI fails in ways you can't reproduce.\n\n`envctl` stops that drift.\n\n`envctl` keeps environments consistent.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n[![Tests](https://github.com/labrynx/envctl/actions/workflows/ci-tests.yml/badge.svg)](https://github.com/labrynx/envctl/actions/workflows/ci-tests.yml)\n[![Coverage](https://github.com/labrynx/envctl/actions/workflows/ci-coverage.yml/badge.svg)](https://github.com/labrynx/envctl/actions/workflows/ci-coverage.yml)\n\n[![PyPI version](https://img.shields.io/pypi/v/envctl.svg)](https://pypi.org/project/envctl/)\n[![Python versions](https://img.shields.io/pypi/pyversions/envctl.svg)](https://pypi.org/project/envctl/)\n[![License](https://img.shields.io/pypi/l/envctl.svg)](https://github.com/labrynx/envctl/blob/main/LICENSE)\n\n[![Code style: ruff](https://img.shields.io/badge/style-ruff-000000.svg)](https://github.com/astral-sh/ruff)\n[![Type checked: mypy](https://img.shields.io/badge/types-mypy-blue.svg)](https://mypy-lang.org/)\n[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://bandit.readthedocs.io/)\n[![Imports: import-linter](https://img.shields.io/badge/imports-linter-purple.svg)](https://github.com/seddonym/import-linter)\n\n[![Release](https://github.com/labrynx/envctl/actions/workflows/release.yml/badge.svg)](https://github.com/labrynx/envctl/actions/workflows/release.yml)\n\n\u003c/div\u003e\n\n---\n\n## What `envctl` does\n\n`envctl` keeps environments consistent.\n\nIt gives you:\n\n* shared requirements in the repo\n* local values outside Git\n* explicit runtime behavior instead of guesswork\n\nIt is not a secret manager.\nIt is not a dotenv loader.\nIt is not a shell trick.\n\nIt is a local-first way to stop `.env` drift across development, teammates, and CI.\n\n---\n\n## The problem\n\nYou have probably seen some version of this already:\n\n* it works on your machine, but not on your teammate's\n* CI fails because a variable is missing or shaped differently\n* onboarding depends on tribal knowledge\n* `.env.local` gets copied around until nobody trusts it\n* nobody can clearly say which variables are actually required\n\nThat is not just a secret-storage problem.\n\nIt is an environment-consistency problem.\n\n---\n\n## How `envctl` fixes it\n\n`envctl` makes environments explicit instead of implicit.\n\nIt separates the environment into clear responsibilities:\n\n* **contract**: what the project requires\n* **vault**: what each machine stores locally\n* **profiles**: which local value set is active\n* **resolution**: what is actually true at runtime\n* **projection**: how that resolved environment is handed to tools\n\nThat means:\n\n* the repo defines shared requirements\n* each machine keeps real values local\n* the runtime environment is explicit and checkable\n\n\u003e No hidden source of truth.\u003cbr\u003e\n\u003e No guessing which value won.\n\n---\n\n## Quickstart\n\nInstall the CLI:\n\n```bash\npython3 -m pip install envctl\n```\n\nThen the shortest useful flow is:\n\n```bash\nenvctl config init\nenvctl init\nenvctl fill\nenvctl check\nenvctl run -- python app.py\n```\n\nWhat happens:\n\n* `config init` creates your user-level `envctl` config\n* `init` prepares the repository for `envctl` and attempts to install managed Git hooks\n* `fill` asks only for missing required values\n* `check` validates the resolved environment\n* `run` executes with the resolved environment injected directly\n\nIf another tool really needs a file on disk, use `sync`.\nOtherwise, `run` is usually the cleanest path.\n\n## Local Git protection\n\n`envctl` can keep its own secret guard wired into Git without becoming a generic hooks manager.\n\nThe managed workflow is:\n\n```bash\nenvctl hooks status\nenvctl hooks install\nenvctl hooks repair\nenvctl hooks remove\n```\n\nThose commands manage only `envctl`'s own `pre-commit` and `pre-push` wrappers, both of which run `envctl guard secrets`.\n\n---\n\n## Why it is different\n\n`envctl` is not mainly competing with cloud secret tools or dotenv loaders.\n\nIts primary job is different:\n\n* cloud secret tools focus on secret distribution\n* dotenv loaders and shell tooling focus on injection\n* `envctl` focuses on environment coherence\n\nThat is why the core value is not “where do secrets live?”.\n\nThe core value is:\n\n* what does this project require?\n* what does this machine actually have?\n* what environment will the app really receive?\n\n---\n\n## A typical workflow\n\n```bash\n# add a new shared requirement\nenvctl add API_KEY sk-example\ngit add .envctl.yaml\ngit commit -m \"require API_KEY\"\n\n# another developer pulls\nenvctl check\nenvctl fill\nenvctl run -- python app.py\n```\n\nThe contract changes in Git.\nReal values stay local.\nThe runtime environment stays explicit.\n\n---\n\n## When `envctl` is a good fit\n\n* your `.env.local` keeps drifting\n* onboarding is fragile\n* local and CI behavior diverge too easily\n* one machine needs multiple local contexts\n* you want a local-first workflow without turning generated files into the source of truth\n\n## When it is probably overkill\n\n* you have one tiny project with a static env file\n* onboarding is trivial and unlikely to change\n* the team already solves environment consistency elsewhere and does not need another layer\n\n---\n\n## Security\n\n* no secrets in the contract\n* local values stay on the machine\n* sensitive output is masked\n* encryption at rest is optional\n* managed Git hooks can run `guard secrets` automatically before commit and push\n\n`envctl` assumes the local machine is trusted. It is designed to keep environment handling explicit and safer, not to replace a full remote secrets platform.\n\n---\n\n## Documentation\n\n* [Docs home](docs/index.md)\n* [Getting started](docs/getting-started/index.md)\n* [Quickstart](docs/getting-started/quickstart.md)\n* [Concepts](docs/concepts/index.md)\n* [Commands reference](docs/reference/commands/index.md)\n* [Configuration reference](docs/reference/configuration.md)\n* [Observability reference](docs/reference/observability.md)\n* [Distribution reference](docs/reference/distribution.md)\n* [Troubleshooting](docs/troubleshooting/index.md)\n* [Compatibility](docs/internals/compatibility.md)\n\n---\n\n## Development\n\nThe repository uses `uv` for dependency management and reproducible environments.\n\n```bash\nuv sync --dev\nmake validate\n```\n\nThis ensures that local development and CI use the same locked dependency graph defined in `uv.lock`.\n\nIf you are editing documentation locally:\n\n```bash\nuv sync --extra docs\nmake docs-check\n```\n\nThe validation flow includes linting, formatting, type checking, security checks, tests with coverage, and architectural constraints.\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for details.\n\n---\n\nIf you have ever said:\n\n\u003e \"it works on my machine\"\n\nthen `envctl` is probably solving a problem you already have.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flabrynx%2Fenvctl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flabrynx%2Fenvctl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flabrynx%2Fenvctl/lists"}