Designing repo-aware secret sync without committing secrets to Git

Posted by Adventurous-While685@reddit | programming | View on Reddit | 2 comments

I’ve been thinking through a CLI design problem around team .env workflows.

The target workflow is:

git clone repo
login
pull

The question is:

How should a CLI know which secret vault belongs to a cloned repo without requiring the developer to paste a vault ID, and without committing actual secrets to Git?

One approach is to commit a small project metadata file:

# .meowpass.yaml
version: 1
vault: <vault_id>
default_env: development

This file contains no secret values. It only maps the repo to a remote vault and default environment.

The CLI resolution order would be:

explicit --vault flag
nearest .meowpass.yaml, found by walking up parent directories
global user config
fail with a fix-oriented error

This makes the CLI behave more like Git.

Example:

repo/
  .meowpass.yaml
  apps/web/
  packages/api/

If you run the CLI from apps/web, it still resolves the project config from the repo root.

Some design choices I’m considering:

The project config is safe to commit because it contains metadata only
Explicit flags always override project config
version allows schema migration later
default_env makes common commands deterministic without extra flags
Diff output should show changed/missing keys, but never reveal values

Example diff output:

Local only:
- DEBUG_TOKEN

Remote only:
- STRIPE_SECRET_KEY

Changed:
- DATABASE_URL

The tradeoff is that this is less local-first than committing encrypted .env files to Git, but it improves onboarding because the repo can point to the correct vault without embedding secrets.

The model is basically:

repo metadata in Git
secret values outside Git
CLI resolves project context automatically

Questions I’m still debating:

Should default_env live in repo config, or should it stay local per developer?
Should parent directory discovery stop at the Git root?
Should the CLI warn if suspicious keys like API_KEY or DATABASE_URL appear in the config file?
Is committing a vault ID acceptable if auth and encryption still gate access?
Is this better or worse than committing encrypted .env files?

Curious how others would design this.

For team secret sync, would you use a committed metadata file, encrypted env files in Git, or another approach entirely?

[-]

Crafty_Disk_7026@reddit

I resolve MCP secrets at runtime outside the llm. User has a secret that is APIKEY that is encrypted and stored in a db. User makes call to the api, the MCP server auto detects the user ms secret, fetches and decrypts it and passes it to the MCP api call, all without visibility to the llm. Llm just sees the rest of the api calls and never sees the secret.

Adventurous-While685@reddit (OP)

Yeah, I like this model.

The LLM should not see the raw secret at all. It should only express intent, then the MCP/tool layer resolves the secret at runtime and injects it into the actual API call.

So instead of: "Here is my API key"
it becomes: "Call this API for me"

Then the MCP server fetches/decrypts the secret, uses it, and only returns the safe result.

The tricky parts are permissions, audit logs, redaction, and making sure the secret never leaks through tool output, logs, stack traces, or prompt injection.

But overall, I think runtime secret resolution outside the LLM is the right direction.