Env Validator audits .env files for malformed lines, empty required keys, duplicate keys, unquoted whitespace, and unexpanded variable references. The Pre-Deploy Gate diff mode compares .env.local against .env.example and reports missing keys, extra keys, changed values with automatic secret masking, and type mismatches — catching configuration errors in CI before they crash a production deployment.
Env Validator
Audit .env files and diff against .env.example — the Pre-Deploy Gate
How to use
- Pick a mode — Diff (Pre-Deploy Gate) compares .env.local against .env.example. Validate audits a single .env without a reference.
- Paste your .env content — Drop the actual deployment env (typically .env.local) into the left field. In diff mode, paste the reference (.env.example) into the right field.
- Run the audit — The tool reports issues with line numbers, flags secret-looking keys, and in diff mode shows missing keys, extra keys, value changes (secrets masked), and type mismatches.
- Wire into CI — The missingKeys[] array is the natural gate signal — if non-empty in your pre-deploy check, fail the build before the deployment crashes on a missing variable.
- Act on secret flags — Move any flagged credentials out of committable dotfiles and into a real secrets manager (Vercel Env, AWS Secrets Manager, Doppler).
MCP / API
Call env_validator directly from any MCP-compatible agent:
// MCP TypeScript SDK
const result = await client.callTool({
name: "env_validator",
arguments: {
"mode": "validate",
"envContent": "..."
}
});
// curl
curl -X POST https://obfus.link/mcp \
-H "Authorization: Bearer <SPT>" \
-H "Content-Type: application/json" \
-d '{"method":"tools/call","params":{"name":"env_validator","arguments":{"mode":"validate","envContent":"..."}}}'Related tools
FAQ
Why does diff mode mask secret values but show non-secret values verbatim?
The diff output is intended to be safe to log in CI output, paste into PR descriptions, or render in developer-onboarding tooling. Masking applies to any key whose name contains SECRET, PASSWORD, TOKEN, PRIVATE, CERT, CREDENTIAL, or API_KEY (case-insensitive). Non-secret keys (NODE_ENV, PORT, DATABASE_URL host changes, etc.) are surfaced verbatim because that's usually the actionable information you want to see.
How is "type" inferred for type mismatches?
Heuristic inference: "true" or "false" → boolean; values matching the numeric regex (-?\d+(\.\d+)?) → number; everything else → string; empty values are excluded from comparison. A mismatch is reported only when both sides infer a non-empty type and the types differ. PORT=3000 (number) vs PORT=eight (string) is a mismatch; PORT=3000 vs PORT=8080 is not.
What is the "Pre-Deploy Gate" pattern?
Wire the diff endpoint into your CI pipeline before the deploy step. Pass the production-bound env as envContent and the committed .env.example as referenceEnv. If diff.missingKeys is non-empty, fail the build — those keys would cause a runtime crash on the first request. If diff.typeMismatches is non-empty, fail also — a string where a number was expected typically crashes app startup.
Why are duplicate keys flagged but not treated as critical errors?
dotenv and most env loaders apply "last wins" semantics — duplicates are technically valid. But they're almost always a bug, often from a merge conflict that wasn't cleanly resolved. The tool flags them as warnings so they surface for review without breaking pipelines that intentionally use the pattern.
Can I use this with formats other than .env?
No. The parser is dotenv-specific (KEY=VALUE, # comments, quoted/unquoted values). For YAML config auditing, use yaml_to_env first to convert YAML into .env shape, then run env_validator. For JSON or TOML, this is the wrong tool — those formats have their own validators.
Can I use this tool via the MCP API?
Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.