Vaultlier

Environments

Environments separate values for the same key — your dev DATABASE_URL differs from prod, but the key is declared once.

The model

A project declares each key once in its schema. Values are then stored per environment. Resolving config always targets a single environment:

TypeScript
const dev = await vault({ environment: "dev" });
const prod = await vault({ environment: "prod" });
// Same typed shape, different values.

Key scopes

A key can apply to all environments (the default) or be restricted to specific ones via its scopes. A key scoped to ["prod"] can only receive values in prod — the CLI checks this locally before any value leaves your machine, and the portal enforces it authoritatively.

vaultlier.json
{
  "keys": {
    "DATABASE_URL":     { "type": "string", "scopes": ["all"] },
    "STRIPE_SECRET":    { "type": "string", "scopes": ["prod"] },
    "FEATURE_NEW_FLOW": { "type": "boolean" }
  }
}

Creating environments

Beyond the default dev/staging/prod, you can add environments at any time. set will offer to create a missing environment for you, declaring it through an additive schema push:

Terminal
vaultlier set DATABASE_URL=postgres://wip-db --env=working --yes
# created environment "working", then wrote the value
Environment creation is additive — pushing a new environment never deletes existing ones or their values.

Values & versions

Writing a value with set stores a new immutable version sealed server-side. History is preserved, so rotations are auditable and reversible. The CLI reports the new version number and never echoes the value back.

  • Each write produces a new version; older versions are retained.
  • The runtime always resolves the latest version for the environment.
  • Values are encrypted at rest with a per-project key.

See the CLI reference for set details and Security for the encryption model.