Module env 

Environment variable formatting and injection utilities.

Provides format functions for rendering vault secrets as shell-evaluable env assignments (export KEY="value"), GitHub Actions workflow commands, and PowerShell syntax. Also implements the exec env-injection path: building a child-process environment that strips sensitive tsafe-internal vars before adding vault secrets.

Constants

MINIMAL_ENV_VARS

Minimal set of parent env vars that most commands need for basic operation.

Functions

clean_env_command

Build a command from a clean environment, adding back only keep, then vault secrets.

command_with_secrets

Build a command with the inherited parent env (minus sensitive strips) plus vault secrets.

command_with_secrets_and_extra_strips

Build a command with the inherited parent env (minus sensitive strips and extra_strip_names) plus vault secrets.

exec_clean_env

Like exec_with_secrets but starts from a clean environment (no parent env inherited), then adds back only the keep entries from the parent, and finally injects secrets.

exec_with_secrets

Spawn cmd_parts[0] with cmd_parts[1..] as arguments, injecting secrets into its environment (on top of the inherited parent env). Returns exit code.

format_docker_env

Docker --env-file format: KEY=VALUE per line, sorted by key.

format_dotenv

export KEY="VALUE" per line (bash/zsh source-able). Escapes backslashes, double-quotes, dollar signs, backticks, and newlines.

format_env

KEY=VALUE per line (POSIX env assign syntax).

format_github_actions

GitHub Actions format: ::add-mask::VALUE workflow command followed by KEY=VALUE for each secret, sorted by key.

format_json

JSON object { "KEY": "VALUE", … }.

format_powershell

$env:KEY = "VALUE" per line (PowerShell source-able). Escapes double-quotes, backticks, dollar signs, and newlines for safe evaluation.

format_toml

TOML flat top-level table: KEY = "VALUE" per line, sorted by key.

format_yaml

YAML mapping: one KEY: "VALUE" per line, sorted by key.

is_dangerous_injected_env_name

Returns true if this env var name is known to affect loaders or interpreters (ASCII case-insensitive).

parse_dotenv

Parse a .env file into a HashMap. Handles # comments, blank lines, Parse a .env-style file into a key→value map.

sensitive_parent_env_vars

Returns the list of parent environment variable names that tsafe exec strips before spawning the child process, including config-driven extras. Used by --plan to show which names would be scrubbed.