curiositech/environment-config-manager
skills/environment-config-manager/SKILL.md
Environment configuration manager for 12-factor config, feature flags, and multi-environment management. Activate on: environment variables, ConfigMap, feature flags, 12-factor config, dotenv management, config per environment, runtime config. NOT for: secret storage (use secret-management-expert), IaC provisioning (use terraform-module-builder), CI/CD variables (use github-actions-pipeline-builder).
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills environment-config-managerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:13 PM16.3s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- environment-config-manager
- description:
- Environment configuration manager for 12-factor config, feature flags, and multi-environment management. Activate on: environment variables, ConfigMap, feature flags, 12-factor config, dotenv management, config per environment, runtime config. NOT for: secret storage (use secret-management-expert), IaC provisioning (use terraform-module-builder), CI/CD variables (use github-actions-pipeline-builder).
- allowed-tools:
- Read,Write,Edit,Bash(docker:*,kubectl:*,terraform:*,npm:*,npx:*)
- category:
- DevOps & Infrastructure
- - skill:
- secret-management-expert
- reason:
- Secrets are a special class of configuration requiring separate handling
Environment Config Manager
Expert in 12-factor configuration management, feature flags, and environment-specific config across dev, staging, and production.
Activation Triggers
Activate on: "environment variables", "ConfigMap", "feature flags", "12-factor config", "dotenv setup", "config per environment", "runtime configuration", "config validation", "environment parity"
NOT for: Secret storage → secret-management-expert | IaC provisioning → terraform-module-builder | CI/CD variables → github-actions-pipeline-builder
Quick Start
- Separate config from code — no hardcoded URLs, ports, or feature toggles in source
- Define config schema — typed validation with defaults (zod, envalid, convict)
- Layer environments — base config overridden by environment-specific values
- Implement feature flags — runtime toggleable features without deployment
- Validate on startup — fail fast if required config is missing or invalid
Core Capabilities
| Domain | Technologies |
|--------|-------------|
| Validation | zod, envalid, @t3-oss/env-nextjs, convict, joi |
| Feature Flags | LaunchDarkly, Unleash, Flagsmith, Statsig, simple JSON flags |
| K8s Config | ConfigMap, ExternalSecret, Kustomize overlays |
| Local Dev | dotenv, direnv, 1Password CLI (op run), docker-compose env |
| Runtime Config | etcd, Consul KV, AWS AppConfig, Firebase Remote Config |
Architecture Patterns
Typed Config Validation (TypeScript)
// config/env.ts — fail fast on invalid config
import { z } from 'zod';
const envSchema = z.object({
NODE_ENV: z.enum(['development', 'staging', 'production']),
PORT: z.coerce.number().default(3000),
DATABASE_URL: z.string().url(),
REDIS_URL: z.string().url().optional(),
LOG_LEVEL: z.enum(['debug', 'info', 'warn', 'error']).default('info'),
FEATURE_NEW_CHECKOUT: z.coerce.boolean().default(false),
API_RATE_LIMIT: z.coerce.number().default(100),
});
export type Env = z.infer<typeof envSchema>;
// Parse and validate — throws on startup if invalid
export const env = envSchema.parse(process.env);
Environment Layering
.env # Base defaults (committed, no secrets)
.env.development # Dev overrides (committed)
.env.staging # Staging overrides (committed, no secrets)
.env.production # Production overrides (committed, no secrets)
.env.local # Local overrides (gitignored, may have secrets)
Loading order (later overrides earlier):
.env → .env.{NODE_ENV} → .env.local
Secrets come from secret store, NOT .env files:
DATABASE_URL → AWS Secrets Manager / Vault
API_KEY → External Secrets Operator
Feature Flag Architecture
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Client │ │ Flag Store │ │ Admin UI │
│ SDK/hook │───▶│ (Unleash/ │◀───│ Toggle flags │
│ │ │ LaunchDarkly)│ │ per env │
└──────────────┘ └──────────────┘ └──────────────┘
Evaluation: user context + flag rules → boolean/variant
- Percentage rollout: 10% of users see new feature
- User targeting: beta users see new feature
- Environment: enabled in staging, disabled in production
- Kill switch: instantly disable without deployment
Anti-Patterns
- Config in code — hardcoded
localhost:5432orif (env === 'production')scattered across files. Centralize all config in one validated module. - Secrets in .env files committed to Git — even example files leak secret formats. Use
.env.examplewith placeholder descriptions, not values. - No config validation — trusting
process.env.PORTis a valid number. Validate and coerce all config at startup with a schema library. - Feature flags as permanent config — flags accumulate and become tech debt. Set expiration dates and clean up old flags quarterly.
- Environment-specific code paths —
if (process.env.NODE_ENV === 'production')for business logic. Use feature flags instead; environment should only affect infrastructure config.
Quality Checklist
[ ] All config loaded from environment variables (12-factor compliant)
[ ] Config schema validated on application startup (fail fast)
[ ] .env.example documents all required variables with descriptions
[ ] No secrets in committed .env files
[ ] .env.local in .gitignore
[ ] Feature flags have owner, description, and expiration date
[ ] Dev/staging/production parity maintained (same config keys)
[ ] Config changes do not require code deployment
[ ] Default values sensible for development (zero-config local setup)
[ ] ConfigMaps and Secrets separated in Kubernetes
[ ] Feature flag cleanup tracked in backlog
[ ] Runtime config changes logged and auditable
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026