Reference
This page documents exact behavior. Open the reference overview
Vault Reference¶
This page describes the physical vault layout and the command surface for working with stored local values. Use it when you need exact storage and command behavior, not the high-level concept.
Structure¶
A typical structure looks like this:
vault/
master.key ← encryption key when encryption is enabled
projects/<slug>--<id>/
values.env
profiles/
The default local profile is stored in values.env. Explicit profiles are stored under profiles/.
Commands¶
check¶
Checks whether the current vault file exists, can be parsed, and appears usable.
show¶
Shows stored values with sensitive entries masked.
show --raw¶
Prints unmasked values, but only after explicit confirmation.
edit¶
Opens the current physical vault file in an editor. When encryption is enabled, the file is temporarily decrypted and then re-encrypted after edit.
path¶
Shows the path to the current physical vault file.
prune¶
Removes keys that are no longer declared in the contract.
encrypt¶
Encrypts plaintext vault profile files for the current project. Requires encryption.enabled = true.
decrypt¶
Decrypts encrypted vault profile files for the current project back to plaintext. Requires encryption.enabled = true.
Rules and constraints¶
- the vault lives outside the repository
- the vault stores local values, not shared contract data
- encryption protects vault files, not generated projection artifacts
- profile storage is local and explicit