dew_vault

Vault feature package for the Dew project management tool.

This package provides the dew vault command surface and registers Vault commands as MCP tools through DewToolCommand.

Status

This package implements encrypted secret storage, rotation-aware metadata, and command handlers exposed as MCP tools.

Encrypted secret storage under .project/vault using AES-GCM + PBKDF2.
Vault password stored at .project/secrets/dew.vault.password by default.
Configurable generators for secret rotation in dew.vault.generators.
Built-in generator-backed generate command.
Metadata-aware rotation and metadata persistence for rotation policy configuration.
Rotation support:
- vault rotate rotates the vault password and rewraps every secret.
- vault rotate --name <name> regenerates a single secret value (via metadata-defined generator when available).

Run dew vault <command> --format json for machine-friendly output.

MIT — see LICENSE.

rotation:
  generator: postgres_password
  length: 48
  include_symbols: false

Store it with --metadata or --metadata-file on dew vault set/dew vault update.