Concepts
This page explains the model behind the CLI. Open the concepts overview
Vault¶
The vault is the local storage layer where real environment values live. It exists so the repository can describe shared requirements without becoming the place where actual secrets or machine-specific values are stored.
What it is¶
The vault answers one question:
Where do the real local values live on this machine?
That includes actual credentials, local URLs, and other concrete values that satisfy the contract here.
Why it matters¶
Without a local storage layer, teams usually fall into one of two bad patterns:
- secrets drift into repository-visible files
- every developer invents a different local storage habit
The vault makes the boundary explicit: the contract is shared, but real values stay local.
The vault is local truth, not shared truth.
What problem it solves¶
The vault solves safe locality:
- one machine stores its own real values
- onboarding does not require copying someone else’s env file
- secret handling stops being confused with project definition
That is why commands like fill matter:
$ envctl fillThat command supplies missing local values. It does not edit the shared model.
What it is not¶
The vault is not:
- the contract
- a public config file
- a team secret-sharing channel
- a generated dotenv artifact
If those boundaries blur, the model becomes much harder to trust.
How it fits in the system¶
The vault is one layer in a chain:
- the contract defines requirements
- the vault stores real local values
- profiles select which local set is active
- resolution computes effective runtime truth
- projection hands that truth to tools
Optional encryption strengthens the storage layer, but it does not change the conceptual split.