Concepts
This page explains the model behind the CLI. Open the concepts overview
Hooks¶
envctl can manage a very small Git-hook safety layer.
The point is not generic automation. The point is narrow local protection against committing or pushing envctl-managed secret material by mistake.
What hooks are¶
In the envctl model, managed hooks are local wrappers around:
They exist to stop obvious secret-handling mistakes before commit and push.
Why they matter¶
Hooks add a lightweight local safety net:
- before a commit is created
- before a push leaves the machine
That makes them useful, especially for teams, but they remain a narrow protection layer.
What problem they solve¶
Managed hooks solve one focused problem:
prevent accidental local Git operations from carrying envctl-managed secret material forward unnoticed
They do not try to solve broader CI policy, arbitrary automation, or multi-tool hook orchestration.
What hooks are not¶
Managed hooks are not:
- a general-purpose automation framework
- a hook-merging system
- a replacement for CI enforcement
- a guarantee against
--no-verify
That narrow scope is intentional. It avoids hidden behavior and fragile integrations.
Managed vs foreign hooks¶
envctl distinguishes:
- managed hooks: created by
envctl, marked asmanaged-by: envctl, and fully controlled by it - foreign hooks: created by something else or manually modified
If a hook is not managed by envctl, it is left alone by default.
How hooks fit in the system¶
Managed hooks sit beside the core model, not inside it:
- the contract defines requirements
- the vault stores local values
- resolution and projection govern runtime truth
- hooks add a local Git safety layer around that model