# Secrets (.env sync) > Sync .env.development and .env.production files as environment-scoped secrets The CLI syncs [secrets](/platform/secrets) from `.env` files in your project root. There is **no dedicated `struere secrets` command** — secret syncing happens automatically as part of `struere dev`, `struere sync`, and `struere deploy`, alongside agents, routers, and workflows. ## How it works Place `.env.development` and `.env.production` next to your `struere.json`. The CLI reads them and upserts each `KEY=value` pair as a secret in the matching environment. | Command | Reads | Syncs to | |---------|-------|----------| | `struere dev` | `.env.development` | `development` (mirrored to `eval`) | | `struere sync` (default / `--env development`) | `.env.development` | `development` (mirrored to `eval`) | | `struere sync --env production` | `.env.production` | `production` | | `struere deploy` | `.env.production` | `production` | Development secrets are **mirrored into the `eval` environment** automatically, so evals run against the same configuration as development. Production secrets are never mirrored. Keys must match `^[A-Za-z_][A-Za-z0-9_]*$`. ## Additive (non-destructive) upsert Secret sync is **additive**. Keys present in the `.env` file are created or updated; keys **not** in the file are left untouched — sync never deletes a secret. To remove a secret, delete it in the dashboard under **Settings → Secrets** (scoped to the environment via the dev/prod switcher). ## Example `.env.development` in your project root: ```bash STRIPE_API_KEY=sk_test_51abc... SUPPORT_PORTAL_URL=https://dev.support.example.com WELCOME_TEMPLATE=welcome_dev ``` Sync it to development (and eval): ```bash bunx struere dev # watch + sync on save bunx struere sync # one-shot sync, then exit ``` Sync production secrets from `.env.production`: ```bash bunx struere deploy bunx struere sync --env production ``` ## Keep `.env` files out of version control Secret values are stored as-is and are not redacted in compiled prompts or execution telemetry. Add `.env.development` and `.env.production` to your `.gitignore` so secret values never land in your repository. Reference the synced values via `{{secrets.KEY}}` in system prompts and `context.secrets.KEY` in custom tools — see [Secrets](/platform/secrets).