Quick Start

1. Install envpkt

   npm install -g envpkt

2. Discover credentials in your environment

   envpkt scans your shell for known credential patterns — API keys, tokens, connection strings — and reports what it finds:

   envpkt env scan

   You’ll see a table with each detected variable, its inferred service, and a confidence indicator.

3. Scaffold your envpkt.toml

   Turn those discoveries into a config file:

   envpkt env scan --write

   This creates (or appends to) envpkt.toml with [secret.*] sections for each discovered credential.

4. Generate an encryption key (optional — needed for sealing)

   If you want to encrypt secrets into your config:

   envpkt keygen

   This generates an age keypair and auto-configures identity.recipient in your envpkt.toml.

5. Audit credential health

   Check expiration dates, staleness, and missing metadata:

   envpkt audit

   Exit codes: 0 = healthy, 1 = degraded, 2 = critical.

6. Check for drift

   Detect mismatches between your config and live environment:

   envpkt env check

   This runs bidirectional drift detection — secrets in TOML but missing from env, and credential-shaped env vars not tracked in TOML.

Next Steps

• The TOML File — understand every field in envpkt.toml
• CLI Reference — full documentation for all commands
• Catalog System — share secret metadata across agents