Vault
Encrypted secrets management with AES-256-GCM encryption and audit trail.
The Vault provides secure, encrypted storage for API keys, tokens, passwords, and certificates. All secrets are encrypted at rest using AES-256-GCM with full audit trail.
Security Features
🔐 AES-256-GCM
Military-grade encryption at rest for all stored secrets.
📝 Audit Trail
Every access is logged with timestamp and accessor identity.
🏗️ Project Isolation
Secrets are scoped to individual projects — no cross-contamination.
🚫 No Exposure
Values never appear in logs, errors, or API responses.
Storing Secrets
Store secret GITHUB_TOKEN with value ghp_xxxxxxxxxxxx
Category: token
Description: GitHub personal access token for CIRetrieving & Listing
Get secret GITHUB_TOKENEvery retrieval is logged in the audit trail. Only retrieve secrets when necessary.
View all stored secrets (values are never shown):
List all secrets
List secrets in category api_keyOutput shows: key name, category, masked value (ghp_****xxxx), description, and last accessed timestamp.
Delete secret GITHUB_TOKENSkill Integration
Skills automatically inject vault secrets at runtime via environment mapping:
Define Env Mapping ``` Create skill "deploy-notify": Required env:
SLACK_WEBHOOK Env mapping: SLACK_WEBHOOK → SLACK_DEPLOY_URL ```
Automatic Injection When the skill runs, the vault decrypts the secret
and injects it as process.env.SLACK_WEBHOOK.
Audit & Cleanup Access is logged in the audit trail, and the secret is
removed from memory after execution.
Best Practices
- Use descriptive key names —
PROD_DB_PASSWORDnotPW1 - Categorize properly — Helps with filtering and auditing
- Add descriptions — Future you will thank present you
- Rotate regularly — Update secrets on a schedule
- Minimize access — Only retrieve secrets when needed
- Use env mapping — Let skills inject secrets automatically instead of manual retrieval