EnvKit: Framework-Agnostic Environment Validation, Secrets Masking, and Auto-Generation

The Silent Configuration Crises

Every developer has lived through this scenario: you deploy a critical update, and the production build instantly crashes because a new API token was added to the schema but forgotten in the environment settings. Or worse: a debug log statement accidentally writes your database credentials or OAuth secret in plain text to a logging service like Datadog or CloudWatch.

Managing environment variables should not be an exercise in vigilance. While libraries like dotenv parse config files, they don't validate types. Existing schema validators are often tied to specific frontend frameworks or fail to protect secrets from being logged. We built EnvKit to solve these operational pain points once and for all.

Introducing EnvKit

EnvKit is a lightweight, zero-dependency (other than Zod) utility library designed to load, validate, and mask environment variables in any JavaScript or TypeScript project. It works seamlessly in both Node.js server environments and client-side bundlers.

npm install @novaedgedigitallabs/envkit zod

With EnvKit, you declare your application config schema in a central file. Zod parses and casts your variables, ensuring strings, numbers, booleans, and custom enums match your exact criteria. If a variable is invalid or missing, your application fails fast at startup with a clean error message, preventing broken runtimes.

1. Type-Safe Environment Variables

Instead of referencing raw untyped values like process.env.PORT (which TypeScript treats as an optional string), EnvKit parses your variables into a fully-typed object. Port strings are coerced to numbers, booleans are cast correctly, and missing variables trigger clear validation errors immediately.

import { createEnv } from '@novaedgedigitallabs/envkit';
import { z } from 'zod';

export const env = createEnv({
  schema: {
    DATABASE_URL: z.string().url(),
    JWT_SECRET: z.string().min(32),
    PORT: z.coerce.number().default(3000),
    NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
  },
  secrets: ['JWT_SECRET', 'DATABASE_URL'],
  generateExample: true, // Automatically append new keys to .env.example
});

By calling createEnv, you get an exportable env object that provides auto-complete and static typing throughout your codebase. If you try to compile or run the code without DATABASE_URL specified in your local environment, EnvKit will output a breakdown of Zod errors and halt execution before any requests are handled.

2. Automatic Secrets Masking

One of EnvKit's standout features is its built-in logging protection. In production, developers frequently write objects like console.log(config) or console.log(process.env) to debug state. When secrets are printed, they are written to persistent log aggregation tools, exposing sensitive credentials.

EnvKit prevents this by letting you define a secrets list. The returned configuration object uses ES6 Proxies and custom inspection hooks to intercept formatting. If you log the configuration object or any individual secret key, EnvKit automatically masks it.

console.log(env.PORT);
// → 3000 (real value is accessible)

console.log(env.JWT_SECRET);
// → 'my-ultra-secure-thirty-two-character-key' (accessible via direct call)

console.log(env);
// → { PORT: 3000, NODE_ENV: 'development', JWT_SECRET: '[MASKED]', DATABASE_URL: '[MASKED]' }

This proxy-based security ensures your application logic can read the credentials perfectly (e.g. when connecting to your database), but any accidental log serialization will print [MASKED], preserving your application security.

3. Smart Template Generation (CLI & Runtime)

When working in a team, one engineer adding a new key to their .env file usually forgets to update the shared .env.example file. The next developer pulls the changes and is left debugging why their local environment is broken.

EnvKit solves this by shipping with a dedicated CLI and runtime sync mechanism. Running the command parses your files and appends missing keys to your template file without erasing existing notes, descriptions, or comment blocks.

npx envkit generate
# → ✓ .env.example updated with 4 new keys

You can easily customize custom environment file paths for staging, production, or microservices using CLI flags. It supports ESM and CJS natively, making it a drop-in replacement for dotenv configuration setups in legacy and modern projects alike.

Framework Agnostic by Design

Unlike other framework-specific validation solutions, EnvKit is built to run anywhere. It performs equally well in an Express API, a NestJS microservice, a Vite frontend, or a standalone CLI utility. By separating configuration schema logic from the framework, you maintain a consistent environment validation standard across your entire organization.

Check out @novaedgedigitallabs/envkit on npm and secure your environment configurations today. Contributions are always welcome on our GitHub repository!