Vault

Per-project encrypted secrets, gated by Touch ID and stored in the macOS Keychain.

The Vault is where Vibehaus keeps the secrets you’d otherwise paste into a .env file or a sticky note — API keys, registry tokens, database URLs.

Why it matters

A secret pinned to a project is harder to lose, easier to rotate, and never sits in plaintext on disk where a stray cat .env can leak it.

What’s stored

Each Vault entry has two fields:

  • Label — what you call it (OPENAI_API_KEY, Stripe test secret, etc.)
  • Value — the secret itself.

Both fields live only in the macOS Keychain. Vibehaus never writes plaintext secret material to its own database on disk.

When Cloud Sync is on, an encrypted copy is uploaded to the server. The plaintext label and value never leave your device. See Cloud Sync for the encryption details.

Touch ID gate

Tapping Vault on a project’s detail tab triggers a Touch ID prompt: “Unlock Vibehaus Vault for project name”. If Touch ID isn’t available, you can fall back to your device password.

The unlock is per-session. Quitting the app, locking the screen, or letting the project tab close will lock the Vault again.

One Vault per signed-in user

Vault entries are scoped to the Apple ID you signed in with. If you sign in as a different account on the same Mac, you’ll see that account’s secrets — never the previous user’s.

Vault items in flows

A flow step that needs NPM_TOKEN or GITHUB_TOKEN can pull it from the project’s Vault by toggling Inject secrets on the project’s detail tab. When the toggle is on, every secret in that project’s Vault becomes an environment variable visible to every shell command in the flow:

NPM_TOKEN=ghp_xxx    # from a Vault entry labelled "NPM_TOKEN"

The label you give a secret in the Vault is the literal env-var name the shell sees — no prefix is added. Pick names that match what your tooling expects.

The toggle is off by default and is per-project, so a Vault entry on Project A is never visible to Project B’s flows.

What’s NOT stored

  • No plaintext secret ever touches Vibehaus’s database on disk.
  • The server only sees encrypted blobs — never your label or value text.
  • Vibehaus never logs the value of a secret. When a flow injects secrets it logs the labels (“Injecting 3 secret(s) into env: NPM_TOKEN, OPENAI_API_KEY, STRIPE_KEY”) so you can audit a run, but never the values.
  • Cloud Sync — how Vault items propagate to your other Macs.
  • Flow Builder — injecting secrets into shell commands.
  • Troubleshooting — “the Vault is empty after I signed in on a new Mac”.