CLI Overview

Commands

Command	Description
envpkt init	Generate an envpkt.toml template
envpkt keygen	Generate age keypair for sealing secrets
envpkt audit	Check credential health against lifecycle policies
envpkt inspect	Display a structured view of the config
envpkt resolve	Resolve catalog references into a flat config
envpkt fleet	Scan directory tree and aggregate health
envpkt exec	Pre-flight audit, inject secrets, run a command
envpkt env scan	Auto-discover credentials from shell environment
envpkt env check	Bidirectional drift detection
envpkt env export	Output export statements for sourcing secrets
envpkt shell-hook	Output shell function for ambient warnings
envpkt mcp	Start the MCP server

Global Options

All commands support:

• --help — Show help for the command
• --version — Show envpkt version

Config Resolution

Commands that read envpkt.toml (audit, inspect, resolve, exec, env check, env export) follow this resolution chain:

1. Explicit -c path/to/envpkt.toml flag
2. ENVPKT_CONFIG environment variable
3. envpkt.toml in the current working directory
4. ENVPKT_SEARCH_PATH (colon-separated list of candidate paths)
5. Built-in search locations:
   • ~/.envpkt/envpkt.toml
   • OneDrive — macOS (~/OneDrive/, ~/Library/CloudStorage/OneDrive-*/), Windows ($USERPROFILE/OneDrive/, $OneDrive/), WSL (/mnt/c/Users/$USER/OneDrive/)
   • iCloud (~/Library/Mobile Documents/com~apple~CloudDocs/.envpkt/)
   • Dropbox (~/Dropbox/.envpkt/, $DROPBOX_PATH/.envpkt/)
   • Google Drive (~/Google Drive/My Drive/, ~/Library/CloudStorage/GoogleDrive-*/, $GOOGLE_DRIVE/)

When a config is loaded from outside CWD, envpkt prints the resolved path to stderr for transparency.

If a catalog field is present, it’s resolved relative to the config file’s directory.

Exit Codes

Code	Meaning
0	Healthy — all secrets pass audit
1	Degraded — some secrets have warnings
2	Critical — expired or missing secrets

See Exit Codes reference for details.