Add CI secret tripwire and vault guard

2025-12-17 15:24:01 +00:00
parent f375d21a9e
commit f3bef9dfb1
2 changed files with 48 additions and 0 deletions
--- a/vault/README.md
+++ b/vault/README.md
@@ -10,3 +10,15 @@ Rules:

 Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use.

+## Allowed files
+
+The vault is for ciphertext, plus documentation.
+
+Allowed:
+
+- `*.age`
+- `*.sops.*`
+- `README.md`
+- `.gitkeep` (if used)
+
+Anything else under `vault/` is treated as plaintext and is blocked by CI.