| .. | ||
| lib | ||
| test | ||
| CHANGELOG.md | ||
| LICENSE | ||
| pubspec.yaml | ||
| README.md | ||
dew_vault
Vault feature package for the Dew project management tool.
This package provides the dew vault command surface and registers Vault commands
as MCP tools through DewToolCommand.
Status
This package implements encrypted secret storage, rotation-aware metadata, and command handlers exposed as MCP tools.
Features
- Encrypted secret storage under
.project/vaultusing AES-GCM + PBKDF2. - Vault password stored at
.project/secrets/dew.vault.passwordby default. - Configurable generators for secret rotation in
dew.vault.generators. - Built-in generator-backed
generatecommand. - Metadata-aware rotation and metadata persistence for rotation policy configuration.
- Rotation support:
vault rotaterotates the vault password and rewraps every secret.vault rotate --name <name>regenerates a single secret value (via metadata-defined generator when available).
Commands
dew vault initdew vault getdew vault setdew vault updatedew vault renamedew vault rotatedew vault generatedew vault listdew vault delete
Run dew vault <command> --format json for machine-friendly output.
License
MIT — see LICENSE.
Example metadata
rotation:
generator: postgres_password
length: 48
include_symbols: false
Store it with --metadata or --metadata-file on dew vault set/dew vault update.