Smart .env safety, drift detection, and peer-to-peer end-to-end encrypted key sharing — right inside VS Code.
Features
Drift detection — flags keys that exist in .env.example but are missing from your .env (and vice-versa) in the Problems panel.
Secret scanner — warns when API keys, tokens, or private keys are hard-coded in source files instead of .env.
Usage tracer — Cmd/Ctrl+Click a process.env.KEY to jump to its .env definition; hover a .env key to see every file that uses it.
Encrypted key sharing — share selected .env values with a teammate using their GitHub SSH identity. Keys are encrypted client-side with X25519 + XChaCha20-Poly1305; the relay server only ever sees ciphertext.
.env.example sync — one command to add missing (redacted) keys to your example file.
Commands
Command
Description
EnvGuard: Share Keys Securely
Open the share panel to send encrypted keys
EnvGuard: Receive Shared Keys
Import keys from a share link
EnvGuard: Compare Env Files
Compare two or more env files
EnvGuard: Sync .env.example
Add missing keys to .env.example
Configuration
Setting
Default
Description
envguard.relayUrl
https://relay.envguard.dev
Relay server URL for encrypted sharing
envguard.enableSecretScanner
true
Warn on secrets in non-.env files
envguard.secretTTLMinutes
10
Minutes before a shared link expires
Security model
The relay stores only ciphertext and never sees plaintext values.
Share links are one-time (deleted on first read) and expire after 10 minutes.
A fresh ephemeral key pair is used per message, providing forward secrecy.
Recipient identity is bootstrapped from their public GitHub ed25519 SSH key.
MVP note: the recipient's X25519 private key is entered manually via a password input. vscode.SecretStorage integration lands in v0.2 before any public release.