Skip to content

env-lint

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

env-lint

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
.codex-plugin
.codex-plugin
 
 
assets
assets
 
 
scripts
scripts
 
 
skills/env-lint
skills/env-lint
 
 
.codexignore
.codexignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 

README.md

hero

env-lint

Catch missing/extra env-var keys before they bite you in prod. Never prints values.

License: MIT Python 3.8+ Claude Code Plugin Tests: 7 passing

TL;DR: /env-lint → "you're missing STRIPE_WEBHOOK_SECRET in .env.local (referenced in .env.example)" — without ever logging the secret value.

Why this exists

Every team has the same outage: someone adds a new env var to .env.example, forgets to mention it in the PR, and a teammate's local server quietly 500s on a code path that needs it. Or worse, prod is missing a key. env-lint diffs your live env file against .env.example and tells you which keys are missing or extra — and only the keys, never the values. Safe to paste in chat, safe to log to CI.

Install (Claude Code)

git clone https://github.com/mturac/pluginpool-env-lint ~/.claude/plugins/env-lint

Restart Claude Code; the slash command /env-lint appears.

Quick start

/env-lint

Or directly:

python3 scripts/envlint.py --format md
python3 scripts/envlint.py --example .env.example --env .env.production

Flags

Flag Default Description
--example auto-detect Path to template (.env.example)
--env auto-detect Path to actual env file
--format json json or md

When run without --example/--env, it scans the cwd for known pairs: (.env, .env.example), (.env.local, .env.example), (.env.production, .env.example).

Example output

# env-lint report

## .env.example ↔ .env.local
- **missing in env**: STRIPE_WEBHOOK_SECRET, SENTRY_DSN
- **extra in env**: LEGACY_API_KEY
- **empty values for**: REDIS_URL

Safety guarantee

A test in the suite (test_never_emits_values_in_json_or_markdown) writes a fake value SUPERSECRETVALUE123 into a temp .env and asserts that string never appears in either the JSON output or the markdown report. The CI badge above represents that invariant.

Exit codes

Code Meaning
0 All required keys present (extras are warnings, not errors)
1 At least one required key is missing

How it works

  1. Parses each .env file as KEY=VALUE (comments and blank lines skipped).
  2. Computes the key-set difference both ways.
  3. Reports missing keys (template has them, env doesn't), extra keys (env has them, template doesn't), and empty values.

Limitations

  • Doesn't expand ${VAR} references — it only checks key presence.
  • Quoted values are detected as "present" even if the quoted content is empty (KEY="" is empty, not missing).
  • Custom env-file naming conventions need explicit --example/--env.

Examples

Step-by-step walkthroughs with real input fixtures and the helper's actual output live in examples/. Three or four scenarios per plugin — from the happy path to the edge cases the test suite guards.

Part of the pluginpool family

Ten focused Claude Code plugins for everyday productivity: commit-narrator · pr-storyteller · test-gap · deps-doctor · env-lint · secret-guard · standup-gen · todo-harvest · flaky-detector · changelog-forge

License

MIT — see LICENSE. Contributions welcome.