| title | Push and Pull |
|---|---|
| description | Push and pull your secrets to and from Shelve. |
push and pull sync secrets between your local .env file and Shelve. For day-to-day development — especially in AI agent shells — prefer shelve run instead of pull.
Upload variables from your local env file to Shelve:
shelve push
shelve push --env staging
shelve --non-interactive --yes push --env staging
shelve --json push --env stagingReads variables from envFileName in shelve.json (default .env).
::field-group
::field{name="env" type="string"}
Target environment. Defaults to defaultEnv in shelve.json or SHELVE_DEFAULT_ENV.
::
::field{name="yes" type="boolean"}
Skip confirmation when confirmChanges is true in config. Also respects global --yes.
::
::
JSON output: { "env", "variableCount", "pushed" } (no secret values).
Download variables from Shelve to your local env file:
shelve pull
shelve pull --env production
shelve pull --env production --yesWhen the CLI detects an AI agent shell (Cursor, Claude Code, Codex, …) or AI_AGENT is set, pull fails with AGENT_BLOCKED unless you pass --yes:
# Explicit opt-in only — secrets will be written to disk
shelve pull --yes --env development::callout{type="warning"}
Plaintext .env files can be read by AI agents. Run shelve init and prefer shelve run.
::
::field-group ::field{name="env" type="string"} Source environment. ::
::field{name="yes" type="boolean"}
Skip the agent disk-write confirmation and confirmChanges prompts.
::
::
JSON output: { "env", "variableCount", "file", "keys[]" } — values are never included.
Set defaultEnv to skip passing --env every time:
{
"defaultEnv": "development",
"slug": "my-team",
"project": "my-app"
}When confirmChanges: true in shelve.json, push and pull ask before writing. Skip with --yes or global --yes / --non-interactive automation flags.
Configure who wins when local and Shelve differ, block pushes to production, or merge on pull. See Sync policies.
shelve diff --env staging
shelve push --env staging
shelve sync --dry-run --env production