# Dotenv Manager

Parse, validate, merge and secret-mask .env files in your browser: flag duplicate and missing keys, lint names, and export .env.example or JSON. No upload.

## Run it

- **CLI:** `gizza tool dotenv-manager "# database
export DB_HOST=localhost
DB_PORT=5432
API_TOKEN=secret123456
DB_HOST=127.0.0.1"`
- **Web:** https://gizza.ai/tools/dotenv-manager/
- **Agents:** machine-readable descriptor (parameters JSON Schema) at https://gizza.ai/tools/dotenv-manager/tool.json

## Inputs

- `env` — .env file _(field)_
- `merge` — Overlay .env to merge (optional — its keys win) _(field)_
- `required_keys` — Required keys (comma-separated, optional) _(field)_
- `mask_secrets` — Mask sensitive values (SECRET/TOKEN/PASSWORD/KEY/…) _(field)_
- `sort_keys` — Sort keys alphabetically _(field)_
- `output` — Output _(field)_

## Output

- Result (text)

## Query parameters

Open the tool pre-filled and auto-run via URL:

- `env` — .env file
- `merge` — Overlay .env to merge (optional — its keys win)
- `required_keys` — Required keys (comma-separated, optional)
- `mask_secrets` — Mask sensitive values (SECRET/TOKEN/PASSWORD/KEY/…)
- `sort_keys` — Sort keys alphabetically
- `output` — Output

Example: `https://gizza.ai/tools/dotenv-manager/?env=%23%20database%0Aexport%20DB_HOST%3Dlocalhost%0ADB_PORT%3D5432%0AAPI_TOKEN%3Dsecret123456%0ADB_HOST%3D127.0.0.1&merge=DB_HOST%3Dprod.internal%0AAPI_TOKEN%3Dprod-token-9999&required_keys=DATABASE_URL%2CAPI_KEY&mask_secrets=true&sort_keys=true&output=report`

---

## About this tool

Dotenv Manager parses, validates, merges and secret-masks `.env` files right in
your browser. Paste a `.env` file and it reads the same syntax your app's dotenv
loader does — `KEY=VALUE` lines, `#` comments, blank lines, single- and
double-quoted values, inline comments, and an optional `export ` prefix — then
reports what's wrong before it bites you in production.

It catches the mistakes that silently break config:

- **Duplicate keys** — the same key set twice, with a note that the **last value
  wins** (the runtime dotenv semantics), so you know which value your app actually sees.
- **Missing required keys** — list the keys your app can't start without (e.g.
  `DATABASE_URL,API_KEY`) and any that are absent are flagged.
- **Lint warnings** — keys that aren't `UPPER_SNAKE_CASE`, empty values, stray
  whitespace around `=`, unterminated quotes, and barewords with no value.

Set a second **overlay** file to merge two `.env`s the way layered environments
do — the overlay's keys override the base (last-file-wins), so you can preview
exactly what `.env` + `.env.production` resolve to.

**Mask secrets** is on by default: values of sensitive-looking keys (names
containing `SECRET`, `TOKEN`, `PASSWORD`, `KEY`, `AUTH`, and more) are shown as
`ab****yz` so you can share a report without leaking credentials.

Pick the output you need: a **report** (diagnostics plus values), a **normalized**
`.env` (deduped, last value wins), a **`.env.example`** with every value blanked
for committing to source control, or **JSON** of the merged pairs. Optionally sort
keys alphabetically. Everything runs locally — your `.env` is never uploaded.

## FAQ

<details>
<summary>Is my .env file uploaded anywhere?</summary>

No. Parsing, validation, merging and masking all run locally in your browser via
WebAssembly. Your file never leaves your machine, so it's safe to paste real
secrets — though with **Mask sensitive values** on, secret-looking values are
hidden in the output anyway.

</details>

<details>
<summary>Which key gets used when a key appears twice?</summary>

The **last** one. Real dotenv loaders keep the last assignment for a repeated key,
so the tool does the same — it flags the duplicate, lists every line the key
appears on, and the `normalized` and `json` outputs keep only the final value.

</details>

<details>
<summary>How does merging two .env files work?</summary>

Paste a second file into the **overlay** box. Its keys override matching keys in
the primary file (last-file-wins, exactly how layered `.env` + `.env.production`
files resolve at runtime), and any keys unique to the overlay are appended. Keys
only in the primary file are kept as-is. The `report` output counts how many keys
the overlay overrode.

</details>

<details>
<summary>How are secrets detected and masked?</summary>

Masking is based on the **key name**, not a fuzzy content scan, so it's
deterministic and predictable. Any key whose name contains a sensitive marker —
`SECRET`, `TOKEN`, `PASSWORD`, `PASSWD`, `PWD`, `KEY`, `AUTH`, `CRED`, `PRIVATE`,
`CERT`, `SIGNATURE`, `ACCESS`, `SESSION`, or `DSN` — has its value masked. Longer
values reveal the first and last two characters (`ab****yz`); short ones become
`****`. Turn masking off to see raw values.

</details>

<details>
<summary>What's the .env.example output for?</summary>

The `example` output emits every key with a **blank value** — a `.env.example`
template you can safely commit to git so teammates know which variables to set
without exposing any real values. Combine it with **Sort keys** for a tidy,
alphabetized template.

</details>

<details>
<summary>Can I export the parsed values as JSON?</summary>

Yes. Choose the `json` output to get a JSON object of the merged key/value pairs —
handy for feeding config into a script or comparing against another environment.
Secret values are masked in the JSON too unless you disable masking.

</details>

## Related tools

- [JSON Redact](https://gizza.ai/tools/json-redact/): Detect and mask secrets — API keys, tokens, passwords, private keys and emails — in a JSON document before sharing. Structure-aware, in your browser, nothing uploaded.
- [Extract Action Items from Meeting Notes](https://gizza.ai/tools/action-item-extractor/): Extract action items, owners, and decisions from meeting notes or daily notes with deterministic rules. Markdown checklist or JSON, private in-browser.
- [Base Decoder](https://gizza.ai/tools/base-decoder/): Auto-detect and decode Base16, Base32, Base45, Base58, Base64, and Base85 text, including nested layers, locally in your browser.
- [cURL Command Parser](https://gizza.ai/tools/curl-command-parser/): Paste a curl command to see its method, URL, query params, headers, body, auth, cookies and flags — or rebuild clean curl. Browser-only.
- [Data Format Converter](https://gizza.ai/tools/data-format-converter/): Convert data between CSV, TSV, JSON, and NDJSON (JSONL) in any direction — auto-detects the source, infers types, unions keys. Free, in-browser, no upload.
