# Vault (encrypted-only)

This directory contains **encrypted artifacts only**.

Rules:

- Never commit plaintext secrets (even temporarily).
- Never commit private keys.
- Treat `vault/` as safe-to-leak ciphertext: if leaking it would break you, it is mis-scoped.

Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use.

## Allowed files

The vault is for ciphertext, plus documentation.

Allowed:

- `*.age`
- `*.sops.*`
- `README.md`
- `.gitkeep` (if used)

Anything else under `vault/` is treated as plaintext and is blocked by CI.