vault.md

Vault Reference

Reference

This page describes the physical vault layout and the command surface for working with stored local values. Use it when you need exact storage and command behavior, not the high-level concept.

Structure

A typical structure looks like this:

vault/
  master.key          ← encryption key when encryption is enabled
  projects/<slug>--<id>/
    values.env
    profiles/

The default local profile is stored in values.env. Explicit profiles are stored under profiles/.

Commands

check

envctl vault check

Checks whether the current vault file exists, can be parsed, and appears usable.

show

envctl vault show

Shows stored values with sensitive entries masked.

show --raw

envctl vault show --raw

Prints unmasked values, but only after explicit confirmation.

edit

envctl vault edit

Opens the current physical vault file in an editor. When encryption is enabled, the file is temporarily decrypted and then re-encrypted after edit.

path

envctl vault path

Shows the path to the current physical vault file.

prune

envctl vault prune

Removes keys that are no longer declared in the contract.

encrypt

envctl vault encrypt

Encrypts plaintext vault profile files for the current project. Requires encryption.enabled = true.

decrypt

envctl vault decrypt

Decrypts encrypted vault profile files for the current project back to plaintext. Requires encryption.enabled = true.

Rules and constraints

• the vault lives outside the repository
• the vault stores local values, not shared contract data
• encryption protects vault files, not generated projection artifacts
• profile storage is local and explicit

Related pages

### Vault concept

Go back to the conceptual role of local storage.

Read about the vault

### Encryption reference

Open this when the physical vault files are encrypted at rest.

Open encryption reference

### Security reference

Reconnect physical storage details to the broader safety model.

Open security reference