ln-733-env-configurator

> **Paths:** File paths (`shared/`, `references/`, `../ln-*`) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If `shared/` is missing, fetch files via WebFetch from `https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}`.

# ln-733-env-configurator

**Type:** L3 Worker
**Category:** 7XX Project Bootstrap

Configures environment variables for development and production environments.

---

## Purpose & Scope

Creates environment configuration files:
- **Does**: Generate .env files, update .gitignore for secrets protection
- **Does NOT**: Store secrets, manage external secrets managers, configure CI/CD secrets

---

## Inputs

| Input | Source | Description |
|-------|--------|-------------|
| **Project Name** | Directory name | Used for database/service naming |
| **Backend Port** | Stack-dependent | 5000 (.NET), 8000 (Python) |
| **Frontend Port** | Default | 3000 |
| **Database Port** | Default | 5432 |
| **Detected Vars** | Code analysis | Environment variables found in code |

---

## Outputs

| File | Purpose | Template |
|------|---------|----------|
| `.env.example` | Documented template | [env_example.template](references/env_example.template) |
| `.env.development` | Local development defaults | [env_development.template](references/env_development.template) |
| `.env.production` | Production placeholders | [env_production.template](references/env_production.template) |
| `.gitignore` (append) | Secrets protection | [gitignore_secrets.template](references/gitignore_secrets.template) |

---

## Workflow

### Phase 1: Environment Discovery

Scan project for existing environment usage:
- Check for existing .env files
- Search code for `process.env`, `os.environ`, `Configuration[]`
- Identify which variables are secrets vs configuration

**Output**: List of required environment variables with types

### Phase 2: Variable Classification

Classify discovered variables:

| Category | Examples | Treatment |
|----------|----------|-----------|
| **Database** | DATABASE_URL, POSTGRES_* | Auto-generate with project name |
| **API Config** | API_PORT, LOG_LEVEL | Use detected or defaults |
| **Security** | JWT_SECRET, API_KEY | Placeholder with warning |
| **External** | REDIS_URL, SMTP_* | Comment out as optional |

### Phase 3: Template Generation

Generate environment files from templates:
1. Apply variable substitution
2. Include all discovered variables
3. Add comments for undocumented variables

### Phase 4: Gitignore Update

Append secrets protection to .gitignore:
1. Read existing .gitignore (if exists)
2. Check if secrets patterns already present
3. Append missing patterns from template
4. Preserve existing entries

---

## Generated File Structure

### .env.example

Documented template with all variables:
- Section headers (Database, Backend, Frontend, Security, External)
- Descriptive comments for each variable
- Safe placeholder values (never real secrets)
- Optional variables commented out

### .env.development

Ready-to-use development configuration:
- Pre-filled values that work with docker-compose
- Development-only secrets (clearly marked)
- Debug-level logging enabled

### .env.production

Production placeholder file:
- `${VARIABLE}` syntax for deployment substitution
- Comments indicating required secrets
- Production-appropriate defaults (Warning log level)

---

## Security Best Practices

| Practice | Implementation |
|----------|----------------|
| **No real secrets** | Placeholder values only in templates |
| **Gitignore protection** | All .env files except .env.example |
| **Development warnings** | Mark dev secrets as insecure |
| **Production guidance** | Comments about secrets manager usage |
| **Key rotation reminder** | Note about regular secret rotation |

---

## Security Notes

Generated files include these security reminders:

1. **Never commit real secrets** - .gitignore prevents accidental commits
2. **Use secrets manager** - GitHub Secrets, AWS Secrets Manager for production
3. **Rotate secrets regularly** - Especially JWT secrets
4. **Strong JWT secrets** - Minimum 256 bits (32 bytes)
5. **Restrict CORS** - Only allow necessary origins in production

---

## Quality Criteria

Generated files must:
- [ ] .env.example contains all required variables
- [ ] No real secrets or passwords in any file
- [ ] .gitignore updated with secrets patterns
- [ ] .env.development works with docker-compose
- [ ] .env.production uses placeholder syntax

---

## Critical Notes

1. **Template-based**: Use templates from references/. Do NOT hardcode file contents.
2. **Idempotent**: Check file existence. Append to .gitignore, don't overwrite.
3. **No Real Secrets**: Never generate files with actual passwords or API keys.
4. **Development Safety**: Development defaults should work out-of-box with docker-compose.

---

## Reference Files

| File | Purpose |
|------|---------|
| [env_example.template](references/env_example.template) | Documented .env template |
| [env_development.template](references/env_development.template) | Development defaults |
| [env_production.template](references/env_production.template) | Production placeholders |
| [gitignore_secrets.template](references/gitignore_secrets.template) | .gitignore additions |

---

## Definition of Done

- [ ] .env.example, .env.development, .env.production generated
- [ ] No real secrets or passwords in any generated file
- [ ] .gitignore updated with secrets protection patterns

---

**Version:** 1.1.0
**Last Updated:** 2026-01-10