{
  "version": "act 2.0.0",
  "url": "https://act101.ai/docs/secrets",
  "commands": [
    {
      "name": "act env import <path>",
      "anchor": "cmd-import",
      "description": "Sequester an entire plaintext .env into the out-of-repo store and replace it in the working tree with a silhouette."
    },
    {
      "name": "act env mv NAME [--restore] [--force]",
      "anchor": "cmd-mv",
      "description": "Sequester one existing .env key into the store, or \u2014 with --restore \u2014 write the stored value back into .env and drop it from the store. --force proceeds through a value collision."
    },
    {
      "name": "act env add NAME [--stdin]",
      "anchor": "cmd-add",
      "description": "Add or update one secret via a hidden prompt (or --stdin for pipes and scripts). The value never appears on the command line, so it can't land in shell history or the agent's context."
    },
    {
      "name": "act env rm NAME",
      "anchor": "cmd-rm",
      "description": "Remove one secret from the store and drop its line from the silhouette."
    },
    {
      "name": "act env run -- <command>",
      "anchor": "cmd-run",
      "description": "Run a command with the project's secrets injected into the child process environment. The values never enter the command string or the agent context, and the child's stdout/stderr is redacted on the way out."
    },
    {
      "name": "act env list",
      "anchor": "cmd-list",
      "description": "Print the stored key names \u2014 never the values."
    },
    {
      "name": "act env get NAME [--reveal]",
      "anchor": "cmd-get",
      "description": "Print one secret, redacted unless --reveal is given. --reveal is the explicit \u201cI accept this value entering context\u201d switch."
    }
  ]
}