Skip to content

feat: add env command for shell-consumable vault export#158

Merged
hazcod merged 2 commits into
hazcod:masterfrom
wpfleger96:wpfleger96/feat/env-command
Jun 21, 2026
Merged

feat: add env command for shell-consumable vault export#158
hazcod merged 2 commits into
hazcod:masterfrom
wpfleger96:wpfleger96/feat/env-command

Conversation

@wpfleger96

@wpfleger96 wpfleger96 commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Adds an env subcommand that outputs vault field values as shell-safe KEY='value' lines, designed for eval $(enpass-cli env ...) workflows.

Usage

# Default: extract the password field
enpass-cli -vault /path env GITHUB_TOKEN="GitHub Personal"
# Output: GITHUB_TOKEN='ghp_abc123...'

# Specific field via -field flag
enpass-cli -vault /path env -field "Access Key" AWS_KEY="AWS"
# Output: AWS_KEY='AKIA...'

# JSON output
enpass-cli -vault /path -json env MY_SECRET="entry title"
# Output: {"MY_SECRET":"..."}

# Shell integration
eval $(enpass-cli -vault /path env DB_PASS="Production DB")

Summary

  • Each positional arg is a VARNAME=filter pair — the filter uses the same substring matching as existing commands
  • VARNAME is validated as a POSIX shell identifier ([a-zA-Z_][a-zA-Z0-9_]*) to prevent injection when output is eval'd
  • Optional -field flag selects which field label to extract (default: password field)
  • When -field is set, the default cardType filter is cleared so non-password field types (username, email, custom fields) are reachable
  • Values are single-quoted with ' escaped as '\'' for safe shell eval
  • Supports -json for programmatic consumption
  • Two resolution paths: without -field uses GetEntry() (same as pass), with -field uses GetAllFields() + case-insensitive label matching
  • Text mode outputs each pair immediately; JSON mode accumulates into a flat {"KEY":"value"} object

https://claude.ai/code/session_01Lr7gquKQVPezfc8NvN39q8

Outputs vault field values as shell-safe KEY='value' lines, designed
for eval $(enpass-cli env ...) workflows. Supports -field flag to
select a specific field label (default: password) and -json for
programmatic consumption.

Claude-Session: https://claude.ai/code/session_01Lr7gquKQVPezfc8NvN39q8
Validate varName as a POSIX shell identifier to prevent injection via
eval. Clear the default cardType filter in the -field path so non-password
field labels (username, Access Key, etc.) are actually reachable. Output
text pairs immediately instead of accumulating.

Claude-Session: https://claude.ai/code/session_01Lr7gquKQVPezfc8NvN39q8
@hazcod hazcod merged commit f6a6e88 into hazcod:master Jun 21, 2026
5 checks passed
@hazcod

hazcod commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Thank you!

wpfleger96 added a commit to wpfleger96/shell-configs that referenced this pull request Jun 22, 2026
Adds `enpass-cli` as a managed WSL package and a `load-tf-secrets` shell
function for loading homelabconfigs Terraform secrets from an Enpass
vault into the current shell session.

`enpass-cli` is installed from upstream GitHub releases
(`hazcod/enpass-cli`) via the `script` method — downloads the latest
`linux_amd64` zip, extracts the binary, and places it in
`~/.local/bin/enpass-cli`. Marked `wsl_only` since the Enpass vault
lives on the Windows filesystem.

- `load-tf-secrets` prompts for the master password once, exports
`MASTERPW`, runs all 11 `enpass-cli -nonInteractive` invocations, then
unsets it
- Covers all 11 root-level `TF_VAR_*` secrets across homelab/Proxmox
(5), AWS (1), GCP (4), and Cloudflare (1) stacks
- `ENPASS_VAULT_PATH` exported as WSL default pointing at the primary
vault directory
- Depends on the `env` command merged in
[hazcod/enpass-cli#158](hazcod/enpass-cli#158)
(shipped in v1.12.0)

https://claude.ai/code/session_01Lr7gquKQVPezfc8NvN39q8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants