Commands

Overview

hush <command> [options]

Global Options

Option	Description
-e, --env <env>	Environment: development or production (default: development)
-r, --root <dir>	Root directory (default: current directory)
-h, --help	Show help message
-v, --version	Show version number

---

init

Generate a hush.yaml configuration file with auto-detected targets.

hush init

This command scans your monorepo for packages with package.json files and creates an initial configuration.

Example Output

# hush.yaml (generated)
sources:
  shared: .env
  development: .env.development
  production: .env.production

targets:
  - name: root
    path: .
    format: dotenv
  - name: app
    path: ./packages/app
    format: dotenv
  - name: api
    path: ./packages/api
    format: wrangler

---

encrypt

Encrypt source .env files to .env.encrypted files.

hush encrypt

What Gets Encrypted

Based on your hush.yaml sources configuration:

• .env → .env.encrypted
• .env.development → .env.development.encrypted
• .env.production → .env.production.encrypted

Tip

Encrypted files are safe to commit to git. Add them to version control as your source of truth.

---

decrypt

Decrypt and distribute secrets to all configured targets.

# Decrypt for development (default)
hush decrypt

# Decrypt for production
hush decrypt -e production
hush decrypt --env prod

How It Works

1. Loads and decrypts encrypted source files
2. Merges shared → environment → local overrides
3. Interpolates variable references (${VAR})
4. Filters variables per target using include/exclude patterns
5. Writes to each target in the configured format

Source File Priority

Later sources override earlier ones:

1. Shared (.env.encrypted) - Base variables
2. Environment (.env.development.encrypted or .env.production.encrypted) - Environment overrides
3. Local (.env.local, unencrypted) - Personal overrides (not committed)

---

set

Set or modify secrets. Opens encrypted file in your $EDITOR. Alias: edit

# Set shared secrets
hush set

# Set development secrets
hush set development

# Set production secrets
hush set production

This temporarily decrypts the file, opens it in your editor, and re-encrypts on save.

Caution

Make sure your $EDITOR environment variable is set (e.g., vim, nano, code --wait).

---

list

List all variables with their actual values.

# List development variables
hush list

# List production variables
hush list -e production

Danger

This command shows actual secret values. Use hush inspect for AI-safe output.

---

inspect

List all variables with masked values. Safe for AI agents.

hush inspect
hush inspect -e production

Example Output

Secrets for development:

  DATABASE_URL      = post****************... (45 chars)
  STRIPE_SECRET_KEY = sk_t****************... (32 chars)
  API_KEY           = (not set)

Total: 3 variables

Target distribution:

  root (.) - 3 vars
  app (./app/) - 1 vars
    include: EXPO_PUBLIC_*
  api (./api/) - 2 vars
    exclude: EXPO_PUBLIC_*

This lets AI agents reason about your configuration without seeing actual secrets.

---

has

Check if a specific secret exists. Returns exit code 0 if set, 1 if not.

# Check if a variable is set
hush has DATABASE_URL

# Quiet mode (no output, just exit code)
hush has API_KEY -q

# Use in scripts
hush has DATABASE_URL -q && echo "DB configured"

Options

Option	Description
-q, --quiet	Suppress output, only return exit code

Example Output

DATABASE_URL is set (45 chars)

Or if not set:

DATABASE_URL not found

---

push

Push production secrets to Cloudflare Workers.

# Push secrets
hush push

# Preview without pushing
hush push --dry-run

Options

Option	Description
--dry-run	Preview what would be pushed without making changes

How It Works

1. Finds targets with format: wrangler and a wrangler.toml file
2. Reads the worker name from wrangler.toml
3. Uploads production secrets using wrangler secret put

Note

Requires the wrangler CLI to be installed and authenticated.

---

status

Show configuration and file status.

hush status

Example Output

Hush Status

Configuration: hush.yaml

Sources:
  shared: .env (encrypted: yes, modified: no)
  development: .env.development (encrypted: yes, modified: no)
  production: .env.production (encrypted: yes, modified: no)

Targets:
  root (.)
    format: dotenv
  app (./packages/app)
    format: dotenv
    include: EXPO_PUBLIC_*
  api (./packages/api)
    format: wrangler
    exclude: EXPO_PUBLIC_*

All encrypted files are up to date.

---

check

Verify encrypted files are in sync with source files. Useful for pre-commit hooks.

# Basic check
hush check

# Warn but don't fail
hush check --warn

# JSON output for CI
hush check --json

# Only check git-modified files
hush check --only-changed

Options

Option	Description
--warn	Warn on drift but exit 0
--json	Output machine-readable JSON
--quiet	Suppress output
--only-changed	Only check files modified in git
--require-source	Fail if source file is missing

Exit Codes

Code	Meaning
0	All in sync
1	Drift detected (run hush encrypt)
2	Config error
3	Runtime error (sops missing, decrypt failed)

Pre-commit Hook

.husky/pre-commit

npx hush check || exit 1

Bypass with: HUSH_SKIP_CHECK=1 git commit -m "message"

---

skill

Install the Claude Code / OpenCode skill for AI-safe secrets management.

# Interactive: choose global or local
hush skill

# Install globally (all projects)
hush skill --global

# Install locally (this project only)
hush skill --local

Options

Option	Description
--global	Install to ~/.claude/skills/
--local	Install to ./.claude/skills/

Global vs Local

• Global - Works across all your projects. Recommended for personal use.
• Local - Bundled with the project. Recommended for teams (commit .claude/ to git).

Tip

Once installed, the skill teaches AI assistants to use hush inspect and hush has instead of reading .env files directly.