Usage
Pulls the latest variables for each environment in your .envless file, decrypts them with the cached workspace key, and writes them to local .env files. Idempotent — running sync twice in a row with no remote changes is a no-op.
Prerequisites
Before the first sync you need to be signed in, linked, and unlocked:
If the workspace is locked, sync exits early and tells you to run envless passphrase set. The cached key lives in ~/.envless/config.json under workspaceKeys[<workspaceId>], so subsequent syncs run without prompting.
Output files
One file per linked environment, always named .env.<slug>. If .envless.environments is ["development", "staging"], sync writes .env.development and .env.staging. Even when only one environment is linked, the suffix is always there — never plain .env — so it’s always unambiguous which env a file belongs to, and adding another env later won’t rename anything that already exists.
Files are written with mode 0600. The header contains a sync timestamp:
Values are sorted alphabetically and quoted when they contain whitespace, ", #, =, $, or other shell-significant characters.
No-op detection
Before writing, sync compares the new variable body with the existing file (ignoring the timestamp header). If the body is identical, the file is left untouched — no mtime change, no dev-server reload.
Errors
| Situation | Behavior |
|---|---|
No .envless in cwd | Tells you to run envless link |
| Workspace locked | Tells you to run envless passphrase set |
| Decrypt fails on a variable | Stops, tells you the passphrase is wrong |
Env slug in .envless not in the project | Stops, names the missing env |