Skip to content

astro-env-inspector

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

astro-env-inspector

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.npmignore
.npmignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
tsconfig.test.json
tsconfig.test.json
 
 

README.md

@shiftescape/astro-env-inspector

version downloads MIT License

A dev toolbar integration for Astro that shows all your environment variables — grouped, masked, and searchable — directly inside astro dev. Zero footprint in production.

ENV Inspector (1 leaking) (1 missing) (8 vars)
─────────────────────────────────────────────────────
PUBLIC: 3   PRIVATE: 8   ASTRO: 4
─────────────────────────────────────────────────────
🌐 Public (PUBLIC_*)
  🟢 PUBLIC_SITE_NAME        My Astro Site
  🟢 PUBLIC_API_URL          https://api.example.com
  🟠 PUBLIC_API_KEY          ••••••••            👁 📋

🔒 Private / Server-only
  🟢 DATABASE_URL            postgres://localhost/db
  🟢 STRIPE_SECRET_KEY       ••••••••            👁 📋
  🔴 SENDGRID_API_KEY        not set

🚀 Astro Built-ins
  🟢 MODE                    development
  🟢 DEV                     true
─────────────────────────────────────────────────────

Features

  • 🔒 Dev-only — completely stripped in astro build and astro preview, zero production footprint
  • 📋 Grouped — variables organised into Public, Private, Astro built-ins
  • Set vs missing — instantly spot variables that are unset
  • 👁 Masked by default — sensitive values hidden with a per-variable reveal toggle
  • ⚠️ Leak detection — warns when a PUBLIC_* variable looks like it contains a secret
  • 🔍 Searchable — filter by key or value in real time
  • 📋 Copy on click — copy any value to clipboard instantly

Install

npm install -D @shiftescape/astro-env-inspector
# or
pnpm add -D @shiftescape/astro-env-inspector

Usage

// astro.config.mjs
import { defineConfig } from "astro/config";
import envInspector from "@shiftescape/astro-env-inspector";

export default defineConfig({
  integrations: [envInspector()],
});

Open your site in astro dev, click the toolbar icon in the bottom bar, and the panel appears.

With options

envInspector({
  // Extra key patterns to always treat as sensitive and mask
  sensitivePatterns: ["MY_APP_SECRET", "INTERNAL_*"],

  // Hide Astro built-ins (MODE, DEV, PROD, SITE, BASE_URL)
  showAstroBuiltins: false,

  // Start with all values revealed (not recommended for shared screens)
  revealByDefault: false,
});

Options

Option Type Default Description
sensitivePatterns string[] [] Extra key patterns to mask. Supports * suffix wildcard.
showAstroBuiltins boolean true Show MODE, DEV, PROD, SITE, BASE_URL etc.
revealByDefault boolean false Start with all values unmasked.

Built-in sensitive patterns

The following patterns are always masked regardless of options: KEY, SECRET, TOKEN, PASSWORD, PASS, PWD, PRIVATE, AUTH, CREDENTIAL, CERT, API_KEY, APIKEY, ACCESS_KEY, CLIENT_SECRET

Leak detection

If a PUBLIC_* variable matches any sensitive pattern, the inspector flags it with a ⚠ warning — both in the panel and in the terminal. For example, PUBLIC_API_KEY would trigger this warning since it's publicly exposed to the browser but looks like a secret.

Dev-only guarantee

The integration checks command === 'dev' in astro:config:setup and returns early for build and preview. The toolbar app entrypoint is never registered, never bundled, and never shipped to users.

License

MIT © Alvin James Bellero