25 lines
577 B
Markdown
25 lines
577 B
Markdown
# Vault (encrypted-only)
|
|
|
|
This directory contains **encrypted artifacts only**.
|
|
|
|
Rules:
|
|
|
|
- Never commit plaintext secrets (even temporarily).
|
|
- Never commit private keys.
|
|
- Treat `vault/` as safe-to-leak ciphertext: if leaking it would break you, it is mis-scoped.
|
|
|
|
Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use.
|
|
|
|
## Allowed files
|
|
|
|
The vault is for ciphertext, plus documentation.
|
|
|
|
Allowed:
|
|
|
|
- `*.age`
|
|
- `*.sops.*`
|
|
- `README.md`
|
|
- `.gitkeep` (if used)
|
|
|
|
Anything else under `vault/` is treated as plaintext and is blocked by CI.
|