@redredchen01/env-manager 0.2.0

package/CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+
+## 0.2.0
+
+### Minor Changes
+
+- Initial release: Skill Foundry v2 CLI toolkit
+
+  - cli-core: dispatcher, logger, config (XDG), version framework
+  - api-testing: HTTP requests, assertions, collections, environments, mock server
+  - dep-audit: outdated, vulnerabilities, licenses, dependency tree
+  - docker-mgmt: container lifecycle, compose, build, logs
+  - env-manager: .env management, encryption, diff, sync, validation
+  - git-workflow: branches, rebase, cherry-pick, merge-check, stash
+  - log-parser: filter, tail, stats, highlight, extract, JSON parsing
+
+### Patch Changes
+
+- Updated dependencies
+  - @redredchen01/cli-core@0.2.0
+
+All notable changes to @redredchen01/env-manager will be documented in this file.
+
+Generated by [git-cliff](https://github.com/orhun/git-cliff).

package/README.md

@@ -0,0 +1,45 @@
+# @foundry/env-manager
+
+> CLI toolkit for .env file management — diff, validate, sync, encrypt/decrypt
+
+[![npm version](https://img.shields.io/npm/v/@foundry/env-manager.svg)](https://www.npmjs.com/package/@foundry/env-manager)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+## Install
+
+```bash
+npm install -g @foundry/env-manager
+```
+
+## Quick Start
+
+```bash
+env-manager show                    # view vars (secrets masked)
+env-manager validate                # check for missing vars
+env-manager diff .env .env.prod     # compare environments
+env-manager sync                    # update .env.example
+env-manager encrypt                 # encrypt .env → .env.enc
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `show` | Display .env with secret masking |
+| `diff` | Compare two .env files |
+| `validate` | Check against .env.example |
+| `sync` | Generate .env.example from .env |
+| `encrypt` | Encrypt .env (AES-256-CBC) |
+| `decrypt` | Decrypt .env.enc |
+| `init` | Create .env from template |
+
+## As Claude Skill
+
+> "Show me the env vars in this project"
+> "Am I missing any environment variables?"
+> "What's different between staging and production env?"
+> "Encrypt the .env file for safe storage"
+
+## License
+
+MIT

package/SKILL.md

@@ -0,0 +1,52 @@
+---
+name: env-manager
+description: Use when the user needs help with .env files — comparing environments, checking for missing variables, syncing .env to .env.example, encrypting secrets, or viewing env vars safely. Triggers on ".env", "environment variable", "missing env", "env diff", "encrypt secrets", "env example", "validate env", "sync env", "show env", "env config".
+---
+
+# env-manager
+
+CLI toolkit for .env file management. Compare environments, validate completeness, sync to .env.example, encrypt/decrypt secrets, and safely view variables.
+
+## Usage
+
+When the user works with .env files or environment configuration, use these commands. Sensitive values are automatically masked unless `--reveal` is used.
+
+## CLI Commands
+
+```bash
+env-manager <command> [options]
+```
+
+| Command | Description |
+|---------|-------------|
+| `show` | Display .env with automatic secret masking |
+| `diff` | Compare two .env files (added/removed/changed) |
+| `validate` | Check .env against .env.example for missing vars |
+| `sync` | Generate .env.example from .env (strip values) |
+| `encrypt` | Encrypt .env with AES-256-CBC (OpenSSL) |
+| `decrypt` | Decrypt .env.enc back to .env |
+| `init` | Create .env from .env.example |
+
+## Common Workflows
+
+### "What env vars do I have?"
+```bash
+env-manager show                    # masked secrets
+env-manager show .env.production    # specific file
+```
+
+### "Am I missing any env vars?"
+```bash
+env-manager validate                # check against .env.example
+env-manager validate --no-empty     # also flag empty values
+```
+
+### "What's different between staging and prod?"
+```bash
+env-manager diff .env.staging .env.production --values
+```
+
+### "Update .env.example after adding new vars"
+```bash
+env-manager sync                    # .env → .env.example (strip values)
+```

package/bin/env-manager.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# @foundry/env-manager — CLI entry point
+# Installed via: npm install -g @foundry/env-manager
+set -euo pipefail
+
+SKILL_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+exec bash "$SKILL_ROOT/cli/main.sh" "$@"

package/cli/commands/decrypt.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+# Command: decrypt — 解密 .env.enc 檔案
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="decrypt"
+# shellcheck disable=SC2034
+COMMAND_DESC="Decrypt an encrypted .env file (AES-256-CBC)"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager decrypt <file> [options]
+
+Decrypt a .env.enc file back to .env (AES-256-CBC, OpenSSL).
+
+Arguments:
+  file         Encrypted file (e.g., .env.enc)
+
+Options:
+  -o, --output FILE   Output file (default: strip .enc suffix)
+  -h, --help          Show this help
+
+Examples:
+  env-manager decrypt .env.enc
+  env-manager decrypt secrets.enc -o .env.production
+EOF
+}
+
+run() {
+  local file="" output=""
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --output|-o) shift; output="${1:?--output requires a file}" ;;
+      -*) echo "Error: unknown option '$1'" >&2; return 1 ;;
+      *) file="$1" ;;
+    esac
+    shift
+  done
+
+  [ -z "$file" ] && { echo "Error: encrypted file required." >&2; return 1; }
+  [ ! -f "$file" ] && { echo "Error: '$file' not found." >&2; return 1; }
+
+  if ! command -v openssl >/dev/null 2>&1; then
+    echo "Error: openssl is not installed." >&2
+    return 1
+  fi
+
+  # Auto-detect output name
+  if [ -z "$output" ]; then
+    output="${file%.enc}"
+    [ "$output" = "$file" ] && output="${file}.decrypted"
+  fi
+
+  echo "Decrypting: $file → $output"
+  echo "Enter passphrase:"
+
+  if openssl enc -aes-256-cbc -d -salt -pbkdf2 -in "$file" -out "$output" 2>/dev/null; then
+    echo ""
+    echo "Decrypted: $output"
+    local count
+    count="$(grep -c '=' "$output" 2>/dev/null || echo 0)"
+    echo "($count variables)"
+  else
+    echo "Error: decryption failed (wrong passphrase?)." >&2
+    [ -f "$output" ] && rm "$output"
+    return 1
+  fi
+}

package/cli/commands/diff.sh

@@ -0,0 +1,136 @@
+#!/usr/bin/env bash
+# Command: diff — 比較兩個 .env 檔案
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="diff"
+# shellcheck disable=SC2034
+COMMAND_DESC="Compare two .env files and show differences"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager diff <file1> <file2> [options]
+
+Compare two .env files. Shows keys that are added, removed, or have different values.
+
+Arguments:
+  file1    First .env file (e.g., .env)
+  file2    Second .env file (e.g., .env.production)
+
+Options:
+  --keys-only    Only compare keys (ignore values)
+  --values       Also show differing values (masked by default)
+  -h, --help     Show this help
+
+Examples:
+  env-manager diff .env .env.example
+  env-manager diff .env .env.production --values
+  env-manager diff .env.staging .env.production --keys-only
+EOF
+}
+
+run() {
+  local file1="" file2="" keys_only=false show_values=false
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --keys-only) keys_only=true ;;
+      --values) show_values=true ;;
+      -*)  echo "Error: unknown option '$1'" >&2; return 1 ;;
+      *)
+        if [ -z "$file1" ]; then file1="$1"
+        elif [ -z "$file2" ]; then file2="$1"
+        else echo "Error: too many arguments." >&2; return 1
+        fi ;;
+    esac
+    shift
+  done
+
+  [ -z "$file1" ] || [ -z "$file2" ] && { echo "Error: two files required." >&2; return 1; }
+  [ ! -f "$file1" ] && { echo "Error: '$file1' not found." >&2; return 1; }
+  [ ! -f "$file2" ] && { echo "Error: '$file2' not found." >&2; return 1; }
+
+  echo "Comparing: $file1 ↔ $file2"
+  echo ""
+
+  # Extract keys from each file
+  local keys1 keys2
+  keys1="$(_extract_keys "$file1")"
+  keys2="$(_extract_keys "$file2")"
+
+  local only_in_1="" only_in_2="" in_both="" changed=""
+
+  # Keys only in file1
+  while IFS= read -r key; do
+    [ -z "$key" ] && continue
+    if ! echo "$keys2" | grep -qx "$key"; then
+      only_in_1="${only_in_1}${key}\n"
+    else
+      in_both="${in_both}${key}\n"
+    fi
+  done <<< "$keys1"
+
+  # Keys only in file2
+  while IFS= read -r key; do
+    [ -z "$key" ] && continue
+    if ! echo "$keys1" | grep -qx "$key"; then
+      only_in_2="${only_in_2}${key}\n"
+    fi
+  done <<< "$keys2"
+
+  # Value differences (for keys in both)
+  if [ "$keys_only" = false ]; then
+    while IFS= read -r key; do
+      [ -z "$key" ] && continue
+      local v1 v2
+      v1="$(_get_value "$file1" "$key")"
+      v2="$(_get_value "$file2" "$key")"
+      if [ "$v1" != "$v2" ]; then
+        changed="${changed}${key}\n"
+      fi
+    done <<< "$(echo -e "$in_both")"
+  fi
+
+  # Output
+  if [ -n "$only_in_1" ]; then
+    echo "Only in $file1:"
+    echo -e "$only_in_1" | while IFS= read -r k; do
+      [ -n "$k" ] && echo "  - $k"
+    done
+    echo ""
+  fi
+
+  if [ -n "$only_in_2" ]; then
+    echo "Only in $file2:"
+    echo -e "$only_in_2" | while IFS= read -r k; do
+      [ -n "$k" ] && echo "  + $k"
+    done
+    echo ""
+  fi
+
+  if [ -n "$changed" ]; then
+    echo "Different values:"
+    echo -e "$changed" | while IFS= read -r k; do
+      [ -z "$k" ] && continue
+      if [ "$show_values" = true ]; then
+        echo "  ~ $k: $(_get_value "$file1" "$k") → $(_get_value "$file2" "$k")"
+      else
+        echo "  ~ $k"
+      fi
+    done
+    echo ""
+  fi
+
+  if [ -z "$only_in_1" ] && [ -z "$only_in_2" ] && [ -z "$changed" ]; then
+    echo "Files are identical (same keys and values)."
+  fi
+}
+
+_extract_keys() {
+  grep -v '^#' "$1" | grep -v '^$' | grep '=' | sed 's/=.*//' | sort
+}
+
+_get_value() {
+  grep "^${2}=" "$1" 2>/dev/null | head -1 | sed "s/^${2}=//"
+}

package/cli/commands/encrypt.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# Command: encrypt — 加密 .env 檔案
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="encrypt"
+# shellcheck disable=SC2034
+COMMAND_DESC="Encrypt .env file with a passphrase (AES-256-CBC)"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager encrypt [file] [options]
+
+Encrypt a .env file using AES-256-CBC (OpenSSL). Produces a .env.enc file.
+
+Arguments:
+  file         File to encrypt (default: .env)
+
+Options:
+  -o, --output FILE   Output file (default: {input}.enc)
+  --delete            Delete original after encryption
+  -h, --help          Show this help
+
+Prerequisites:
+  OpenSSL must be installed (pre-installed on macOS and most Linux).
+
+Examples:
+  env-manager encrypt
+  env-manager encrypt .env.production
+  env-manager encrypt .env -o secrets.enc
+  env-manager encrypt --delete
+EOF
+}
+
+run() {
+  local file=".env" output="" delete_original=false
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --output|-o) shift; output="${1:?--output requires a file}" ;;
+      --delete) delete_original=true ;;
+      -*) echo "Error: unknown option '$1'" >&2; return 1 ;;
+      *) file="$1" ;;
+    esac
+    shift
+  done
+
+  [ ! -f "$file" ] && { echo "Error: '$file' not found." >&2; return 1; }
+
+  if ! command -v openssl >/dev/null 2>&1; then
+    echo "Error: openssl is not installed." >&2
+    return 1
+  fi
+
+  [ -z "$output" ] && output="${file}.enc"
+
+  echo "Encrypting: $file → $output"
+  echo "Enter passphrase (you'll need this to decrypt):"
+
+  if openssl enc -aes-256-cbc -salt -pbkdf2 -in "$file" -out "$output" 2>/dev/null; then
+    echo ""
+    echo "Encrypted: $output"
+    if [ "$delete_original" = true ]; then
+      rm "$file"
+      echo "Deleted original: $file"
+    fi
+    echo ""
+    echo "To decrypt: env-manager decrypt $output"
+  else
+    echo "Error: encryption failed." >&2
+    [ -f "$output" ] && rm "$output"
+    return 1
+  fi
+}

package/cli/commands/init.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+# Command: init — 初始化 .env 檔案
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="init"
+# shellcheck disable=SC2034
+COMMAND_DESC="Initialize .env from .env.example with interactive prompts"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager init [options]
+
+Create .env from .env.example. Copies the template and optionally prompts for values.
+
+Options:
+  --example FILE   Template file (default: .env.example)
+  --output FILE    Output file (default: .env)
+  --force          Overwrite existing .env
+  --no-prompt      Copy as-is without prompting
+  -h, --help       Show this help
+
+Examples:
+  env-manager init
+  env-manager init --example .env.template
+  env-manager init --force
+  env-manager init --no-prompt
+EOF
+}
+
+run() {
+  local example=".env.example" output=".env" force=false no_prompt=false
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --example) shift; example="${1:?--example requires a file}" ;;
+      --output) shift; output="${1:?--output requires a file}" ;;
+      --force) force=true ;;
+      --no-prompt) no_prompt=true ;;
+      *) echo "Error: unknown option '$1'" >&2; return 1 ;;
+    esac
+    shift
+  done
+
+  [ ! -f "$example" ] && { echo "Error: '$example' not found." >&2; return 1; }
+
+  if [ -f "$output" ] && [ "$force" = false ]; then
+    echo "Error: '$output' already exists. Use --force to overwrite." >&2
+    return 1
+  fi
+
+  if [ "$no_prompt" = true ]; then
+    cp "$example" "$output"
+    local count
+    count="$(grep -c '=' "$output" 2>/dev/null || echo 0)"
+    echo "Created: $output ($count variables from $example)"
+    return 0
+  fi
+
+  # Interactive: copy with prompts for empty values
+  echo "Initializing $output from $example"
+  echo "(Press Enter to keep default, or type a new value)"
+  echo ""
+
+  local result=""
+  while IFS= read -r line; do
+    case "$line" in
+      ""|\#*)
+        result="${result}${line}\n"
+        continue
+        ;;
+    esac
+
+    local key="${line%%=*}"
+    local value="${line#*=}"
+
+    if [ -z "$value" ] || [ "$value" = '""' ] || [ "$value" = "''" ]; then
+      printf "  %s = " "$key"
+      local new_value
+      read -r new_value < /dev/tty 2>/dev/null || new_value=""
+      if [ -n "$new_value" ]; then
+        result="${result}${key}=${new_value}\n"
+      else
+        result="${result}${line}\n"
+      fi
+    else
+      result="${result}${line}\n"
+    fi
+  done < "$example"
+
+  echo -e "$result" > "$output"
+  echo ""
+  echo "Created: $output"
+}

package/cli/commands/show.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# Command: show — 顯示 .env 內容（遮蔽 secrets）
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="show"
+# shellcheck disable=SC2034
+COMMAND_DESC="Display .env contents with secret masking"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager show [file] [options]
+
+Display .env file contents with automatic secret masking.
+
+Arguments:
+  file         Path to .env file (default: .env)
+
+Options:
+  --reveal     Show actual values (no masking)
+  --keys       Show only keys, no values
+  --sort       Sort alphabetically
+  -h, --help   Show this help
+
+Examples:
+  env-manager show
+  env-manager show .env.production
+  env-manager show --reveal
+  env-manager show --keys
+EOF
+}
+
+SECRET_PATTERNS="PASSWORD|SECRET|KEY|TOKEN|API_KEY|PRIVATE|CREDENTIAL|AUTH"
+
+run() {
+  local file=".env" reveal=false keys_only=false do_sort=false
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --reveal) reveal=true ;;
+      --keys) keys_only=true ;;
+      --sort) do_sort=true ;;
+      -*) echo "Error: unknown option '$1'" >&2; return 1 ;;
+      *) file="$1" ;;
+    esac
+    shift
+  done
+
+  if [ ! -f "$file" ]; then
+    echo "Error: '$file' not found." >&2
+    return 1
+  fi
+
+  local lines
+  if [ "$do_sort" = true ]; then
+    lines="$(sort "$file")"
+  else
+    lines="$(cat "$file")"
+  fi
+
+  local count=0
+  while IFS= read -r line; do
+    # Skip empty lines and comments
+    case "$line" in
+      ""|\#*) echo "$line"; continue ;;
+    esac
+
+    local key value
+    key="${line%%=*}"
+    value="${line#*=}"
+    count=$((count + 1))
+
+    if [ "$keys_only" = true ]; then
+      echo "$key"
+    elif [ "$reveal" = true ]; then
+      echo "$line"
+    else
+      # Mask values for sensitive keys
+      if echo "$key" | grep -qiE "$SECRET_PATTERNS"; then
+        echo "${key}=********"
+      else
+        echo "$line"
+      fi
+    fi
+  done <<< "$lines"
+
+  echo ""
+  echo "($count variables in $file)"
+}

package/cli/commands/sync.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# Command: sync — 同步 .env 到 .env.example
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="sync"
+# shellcheck disable=SC2034
+COMMAND_DESC="Sync .env keys to .env.example (strip values)"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager sync [options]
+
+Generate or update .env.example from .env, keeping keys but stripping values.
+
+Options:
+  --source FILE    Source file (default: .env)
+  --target FILE    Target file (default: .env.example)
+  --preserve       Keep existing values in target (only add new keys)
+  --dry-run        Show what would change without writing
+  -h, --help       Show this help
+
+Examples:
+  env-manager sync
+  env-manager sync --source .env.production --target .env.prod.example
+  env-manager sync --preserve
+  env-manager sync --dry-run
+EOF
+}
+
+run() {
+  local source=".env" target=".env.example" preserve=false dry_run=false
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --source) shift; source="${1:?--source requires a file}" ;;
+      --target) shift; target="${1:?--target requires a file}" ;;
+      --preserve) preserve=true ;;
+      --dry-run) dry_run=true ;;
+      *) echo "Error: unknown option '$1'" >&2; return 1 ;;
+    esac
+    shift
+  done
+
+  [ ! -f "$source" ] && { echo "Error: '$source' not found." >&2; return 1; }
+
+  echo "Syncing: $source → $target"
+  echo ""
+
+  local output="" added=0 total=0
+
+  while IFS= read -r line; do
+    case "$line" in
+      ""|\#*)
+        output="${output}${line}\n"
+        continue
+        ;;
+    esac
+
+    local key="${line%%=*}"
+    total=$((total + 1))
+
+    if [ "$preserve" = true ] && [ -f "$target" ]; then
+      local existing
+      existing="$(grep "^${key}=" "$target" 2>/dev/null | head -1)"
+      if [ -n "$existing" ]; then
+        output="${output}${existing}\n"
+        continue
+      fi
+    fi
+
+    # Strip value, keep key with empty value
+    output="${output}${key}=\n"
+
+    # Check if this is a new key
+    if [ -f "$target" ] && ! grep -q "^${key}=" "$target" 2>/dev/null; then
+      added=$((added + 1))
+    fi
+  done < "$source"
+
+  if [ "$dry_run" = true ]; then
+    echo "Would write to $target ($total keys, $added new):"
+    echo ""
+    echo -e "$output"
+    echo "(Dry run — no file written)"
+    return 0
+  fi
+
+  echo -e "$output" > "$target"
+  echo "Written: $target ($total keys, $added new)"
+}

package/cli/commands/validate.sh

@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+# Command: validate — 驗證 .env 完整性
+# Part of @foundry/env-manager
+
+# shellcheck disable=SC2034
+COMMAND_NAME="validate"
+# shellcheck disable=SC2034
+COMMAND_DESC="Validate .env against .env.example for missing/extra variables"
+
+show_help() {
+  cat << 'EOF'
+Usage: env-manager validate [file] [options]
+
+Check .env against .env.example to find missing or extra variables.
+
+Arguments:
+  file         Path to .env file (default: .env)
+
+Options:
+  --example FILE   Reference file (default: .env.example)
+  --strict         Fail on extra variables (not just missing)
+  --no-empty       Fail on empty values
+  -h, --help       Show this help
+
+Examples:
+  env-manager validate
+  env-manager validate .env.production
+  env-manager validate --example .env.required --strict
+  env-manager validate --no-empty
+EOF
+}
+
+run() {
+  local file=".env" example=".env.example" strict=false no_empty=false
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --help|-h) show_help; return 0 ;;
+      --example) shift; example="${1:?--example requires a file}" ;;
+      --strict) strict=true ;;
+      --no-empty) no_empty=true ;;
+      -*) echo "Error: unknown option '$1'" >&2; return 1 ;;
+      *) file="$1" ;;
+    esac
+    shift
+  done
+
+  [ ! -f "$file" ] && { echo "Error: '$file' not found." >&2; return 1; }
+  [ ! -f "$example" ] && { echo "Error: '$example' not found. Create it or use --example." >&2; return 1; }
+
+  echo "Validating: $file against $example"
+  echo ""
+
+  local env_keys example_keys
+  env_keys="$(_extract_keys "$file")"
+  example_keys="$(_extract_keys "$example")"
+
+  local errors=0 warnings=0
+
+  # Missing keys (in example but not in env)
+  local missing=""
+  while IFS= read -r key; do
+    [ -z "$key" ] && continue
+    if ! echo "$env_keys" | grep -qx "$key"; then
+      missing="${missing}  ✗ ${key}\n"
+      errors=$((errors + 1))
+    fi
+  done <<< "$example_keys"
+
+  if [ -n "$missing" ]; then
+    echo "Missing (required but not set):"
+    echo -e "$missing"
+  fi
+
+  # Extra keys (in env but not in example)
+  local extra=""
+  while IFS= read -r key; do
+    [ -z "$key" ] && continue
+    if ! echo "$example_keys" | grep -qx "$key"; then
+      extra="${extra}  ? ${key}\n"
+      [ "$strict" = true ] && errors=$((errors + 1)) || warnings=$((warnings + 1))
+    fi
+  done <<< "$env_keys"
+
+  if [ -n "$extra" ]; then
+    if [ "$strict" = true ]; then
+      echo "Extra (not in $example — strict mode):"
+    else
+      echo "Extra (not in $example — informational):"
+    fi
+    echo -e "$extra"
+  fi
+
+  # Empty values check
+  if [ "$no_empty" = true ]; then
+    local empty=""
+    while IFS= read -r line; do
+      case "$line" in ""|\#*) continue ;; esac
+      local key="${line%%=*}" value="${line#*=}"
+      if [ -z "$value" ] || [ "$value" = '""' ] || [ "$value" = "''" ]; then
+        empty="${empty}  ⚠ ${key} (empty)\n"
+        errors=$((errors + 1))
+      fi
+    done < "$file"
+
+    if [ -n "$empty" ]; then
+      echo "Empty values:"
+      echo -e "$empty"
+    fi
+  fi
+
+  # Summary
+  echo "Result: $errors errors, $warnings warnings"
+  [ "$errors" -gt 0 ] && return 1
+  echo "✓ Validation passed."
+  return 0
+}
+
+_extract_keys() {
+  grep -v '^#' "$1" | grep -v '^$' | grep '=' | sed 's/=.*//' | sort
+}

package/cli/main.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SKILL_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+# Source cli-core libraries
+# shellcheck source=/dev/null
+CLI_CORE="${SKILL_ROOT}/../cli-core/lib"
+if [ -d "$CLI_CORE" ]; then
+  source "${CLI_CORE}/dispatcher.sh"
+  source "${CLI_CORE}/logger.sh"
+  source "${CLI_CORE}/config.sh"
+  source "${CLI_CORE}/version.sh"
+fi
+
+export SKILL_NAME="env-manager"
+export VERSION
+VERSION=$(foundry::version::get "$SKILL_ROOT" 2>/dev/null || echo "0.0.0")
+export COMMANDS_DIR="${SKILL_ROOT}/cli/commands"
+
+foundry::logger::parse_flags "$@"
+foundry::dispatcher::dispatch "$@"

package/cli/utils/common.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+# Shared utility functions for this skill

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@redredchen01/env-manager",
+  "version": "0.2.0",
+  "description": "CLI toolkit for .env file management — diff, validate, sync, encrypt/decrypt",
+  "bin": {
+    "env-manager": "./bin/env-manager.sh"
+  },
+  "files": [
+    "bin/",
+    "cli/",
+    "scripts/",
+    "references/",
+    "assets/",
+    "SKILL.md",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "keywords": [
+    "claude-code",
+    "skill",
+    "cli",
+    "env",
+    "dotenv",
+    "config",
+    "secrets"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/redredchen01/skill-foundry",
+    "directory": "packages/env-manager"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@redredchen01/cli-core": "*"
+  },
+  "skillFoundry": {
+    "concept": ".env file management — show, diff, validate, sync, encrypt, decrypt, init",
+    "phase": "generate",
+    "capabilities": [
+      "show",
+      "diff",
+      "validate",
+      "sync",
+      "encrypt",
+      "decrypt",
+      "init"
+    ]
+  }
+}