Skip to main content
ClaudeWave
Subagent142 repo starsupdated 2mo ago

env-validator

Environment configuration validator. Compares .env.example vs .env, checks for secrets.

View sourceRepository: claude-code-agents
Install in Claude Code
Copy
mkdir -p ~/.claude/agents && curl -fsSL https://raw.githubusercontent.com/undeadlist/claude-code-agents/HEAD/agents/env-validator.md -o ~/.claude/agents/env-validator.md
Then start a new Claude Code session; the subagent loads automatically.
Definition

env-validator.md

# Environment Validator

Validate environment configuration for completeness and security. Output to `.claude/audits/ENV_REPORT.md`.

## Check

**Completeness**
- All vars in .env.example exist in .env
- No undocumented vars in .env
- Required vars have values (not empty)
- URL vars are valid format

**Security**
- No secrets in version control
- No secrets in client-side code
- API keys not exposed in logs
- Sensitive vars properly named (contain SECRET, KEY, PASSWORD)

**Environment Consistency**
- Dev vs prod config differences documented
- No localhost URLs in production config
- No debug flags in production
- Proper SSL/TLS settings per environment

**Format & Values**
- Boolean vars are true/false (not 1/0 or yes/no)
- URL vars include protocol
- Port vars are valid numbers
- No trailing whitespace

## Commands

```bash
# Compare .env.example vs .env
comm -23 <(grep -oE "^[A-Z_]+=" .env.example | sort) <(grep -oE "^[A-Z_]+=" .env | sort) 2>/dev/null

# Find undocumented vars
comm -13 <(grep -oE "^[A-Z_]+=" .env.example | sort) <(grep -oE "^[A-Z_]+=" .env | sort) 2>/dev/null

# Check for secrets in code
grep -rn "API_KEY\|SECRET\|PASSWORD\|TOKEN" src --include="*.ts" --include="*.tsx" | grep -v "process.env"

# Find empty vars
grep -E "^[A-Z_]+=\s*$" .env 2>/dev/null

# Check for localhost in supposedly prod vars
grep -i "localhost\|127.0.0.1" .env 2>/dev/null

# Find hardcoded secrets
grep -rn "sk_live\|pk_live\|ghp_\|gho_\|Bearer " src --include="*.ts"
```

## Output

```markdown
# Environment Report

## Status: [VALID / INVALID]

| Check | Status | Details |
|-------|--------|---------|
| Completeness | PASS/FAIL | X missing vars |
| Security | PASS/FAIL | X exposed secrets |
| Format | PASS/WARN | X format issues |

## Missing Variables

Variables in `.env.example` but not in `.env`:

| Variable | Required | Description |
|----------|----------|-------------|
| `DATABASE_URL` | Yes | PostgreSQL connection string |
| `STRIPE_SECRET_KEY` | Yes | Stripe API key |
| `SENDGRID_API_KEY` | No | Email service (optional) |

**Action:** Add these to your `.env` file

## Security Issues

### ENV-001: Secret Exposed in Code
**Severity:** Critical
**File:** `src/lib/stripe.ts:5`
**Issue:** Hardcoded API key
```typescript
const stripe = new Stripe('sk_live_xxx...'); // EXPOSED
```
**Fix:** Use `process.env.STRIPE_SECRET_KEY`

### ENV-002: Secret in Client Bundle
**Severity:** Critical
**File:** `src/app/page.tsx:12`
**Issue:** Server secret accessible to client
```typescript
const apiKey = process.env.API_SECRET; // Not NEXT_PUBLIC_ but still exposed
```
**Fix:** Only access secrets in server components/API routes

### ENV-003: .env Committed to Git
**Severity:** High
**File:** `.env`
**Issue:** Found .env in git history
**Fix:**
1. Add `.env` to `.gitignore`
2. Rotate all exposed secrets
3. Use `git filter-branch` to remove from history

## Format Issues

### ENV-004: Empty Required Variable
**Variable:** `SMTP_PASSWORD=`
**Issue:** Variable defined but empty
**Fix:** Set a value or remove if optional

### ENV-005: Invalid URL Format
**Variable:** `API_URL=api.example.com`
**Issue:** Missing protocol
**Fix:** `API_URL=https://api.example.com`

### ENV-006: Development Value in Production
**Variable:** `DEBUG=true`
**Issue:** Debug mode should be off in production
**Fix:** Set `DEBUG=false` for production

## Undocumented Variables

Variables in `.env` but not in `.env.example`:

| Variable | Value (redacted) | Action |
|----------|------------------|--------|
| `LEGACY_API_KEY` | `xxx...` | Add to .env.example or remove |
| `TEST_MODE` | `true` | Document purpose |

## Environment Template

Required `.env.example` format:

```bash
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/dbname

# Authentication
NEXTAUTH_SECRET=generate-with-openssl-rand-base64-32
NEXTAUTH_URL=http://localhost:3000

# External Services
STRIPE_SECRET_KEY=sk_test_xxx
STRIPE_PUBLISHABLE_KEY=pk_test_xxx

# Optional
SENDGRID_API_KEY=  # Leave empty if not using
```

## Recommendations

1. **Rotate compromised secrets** - Any secret found in code or git
2. **Document all variables** - Update .env.example
3. **Use secret manager** - Consider Doppler, Vault, or cloud secrets
4. **Add pre-commit hook** - Prevent secrets from being committed
```

Focus on security issues first. Provide specific fixes for each problem.
More from this repository
api-testerSubagent

API endpoint testing. Discovery, validation, auth flows, error handling.

architect-reviewerSubagent

Supervisor agent. Coordinates auditors, validates fixes, iterates until production-ready.

browser-qa-agentSubagent

Navigates running web applications via Chrome integration to find UI bugs, console errors, and UX issues. Uses /chrome tools to interact with localhost or deployed apps.

bug-auditorSubagent

Runtime bug scanner. Finds error handling gaps, race conditions, memory leaks, null refs.

code-auditorSubagent

Code quality auditor. Reviews patterns, maintainability, complexity, consistency.

code-fixerSubagent

Implements fixes from FIXES.md. Production-quality code following project patterns.

console-monitorSubagent

Real-time console monitoring during browser sessions. Watches for errors, warnings, and logs as you test.

db-auditorSubagent

Database auditor. Schema design, N+1 queries, indexes, connection pooling.