Repo Vault Lane

Safe archive, Git remote, or working vault folder.

For handoff packages, the repo snapshot command builds one vault-ready archive, runs a local secret scan, uploads through the same R2 receipt flow, and keeps the proof in the ledger.

npm run vault:dry-run npm run vault:push npm run vault:repo -- status --dir=. npm run vault:secrets:manifest npm run vault:cli clone app ./app

Safety Behavior

Archive safety and Git-level recovery stay separate.

The archive package skips local secrets, generated dependency folders, backup data, database files, private keys, old archives, and text files flagged by the credential scanner.

  • Use dry run first to inspect the sanitized archive.
  • Use push when the archive is ready for the vault ledger.
  • Use the Git remote when the dev needs clone, fetch, and push behavior.
  • Use the repo workspace helper for status, diff, commit, sync, and push receipts.
  • Use the secret manifest before deleting or handing off a local workspace.

Full Workspace Restore

Encrypted artifact plus restore kit.

A .zip.enc means encrypted by design. It is not the final ZIP yet; it is the protected wrapper that keeps the repo locked until the direct restore kit unlocks it.

  • Download the large `.zip.enc` artifact.
  • Download the matching direct restore kit ZIP.
  • Run the helper from the restore kit.
  • Open the real `.zip` or extracted repo folder after decrypt finishes.

One Command Shape

The helper does the decrypt, verify, and unzip steps.

unzip direct-restore-kit.zip -d restore-kit node restore-kit/skyevault-restore-encrypted-zip.mjs --artifact=repo.zip.enc --key-file=restore-kit/artifact-key-material.txt --out-dir=./restore-repo --force

If a file still ends in `.zip.enc`, it has not been unlocked yet. The real repo ZIP appears only after the restore kit decrypts it.

Archive Receipt-backed snapshot

Best for project handoff, release proof, disaster recovery, and client-safe downloads.

Git Bare repo remote

Best when a developer needs normal clone, fetch, push, tags, and branch policy.

Workspace Working folder receipts

Best when a vault folder needs status, diff, commit, sync, and push proof.

Boundary Local-only recovery list

Best for secrets, databases, private keys, dependency folders, and generated state.

AI Install One-page setup lane

Best when a dev or coding agent needs the exact commands, env names, auth rule, plans, and receipts.