Secrets Management
Secrets synchronization is the core feature of envx-cli-tmr. It replaces manual environment configuration management with secure, CLI-first workflows.
# Security Architecture
Cryptographic Specifications
- Encryption at Rest: Environment secrets are fully encrypted at rest using industry-grade AES-256-GCM encryption with project-specific keys.
- Transit Security: All API communication occurs over secure HTTPS/TLS 1.3 layers. Plain-text data is never transmitted over unencrypted protocols.
- Access Restrictions: Only authenticated project members with valid session tokens can request variable decryptions.
# Project Setup (envx init)
Running envx init compiles a template configurations file:
This scans the project directory and generates a safe .env.example template showing the keys (values omitted) to commit safely to version control.
# Push Secrets (envx push)
When you add new secrets or edit local environment variables, push them to the secure remote repository. The CLI will display an interactive keyboard dropdown allowing you to select your target project using arrow keys:
Handling "No .env file found" Error
If you execute `envx push` without a local environment file, the CLI will throw a validation error. You must construct a local `.env` first in your project root before pushing:
# Pull Secrets (envx pull)
Teammates can download and decrypt the latest environment variables using the pull command. Similar to pushing, you select your project interactively from the keyboard list: