Vault (encrypted-only)
This directory contains encrypted artifacts only.
Rules:
- Never commit plaintext secrets (even temporarily).
- Never commit private keys.
- Treat
vault/as safe-to-leak ciphertext: if leaking it would break you, it is mis-scoped.
Decryption/working material belongs in vault/tmp/ (gitignored) and should be wiped after use.
Allowed files
The vault is for ciphertext, plus documentation.
Allowed:
*.age*.sops.*README.md.gitkeep(if used)
Anything else under vault/ is treated as plaintext and is blocked by CI.