Expand description
Pluggable secret-vault backend used by yui secret store /
yui secret unlock to ferry the X25519 identity across
machines.
yui doesn’t authenticate against the vault itself — it shells
out to the provider’s official CLI (bw for Bitwarden, op
for 1Password). Whatever auth that CLI supports (master
password, biometric, passkey unlock via the web vault, SSO)
gates the operation, and yui inherits it for free.
Storage convention: the entire content of the X25519 identity
file (header comments + the AGE-SECRET-KEY-1… line) lives in
a Secure Note item under a user-chosen name. Picking notes
(rather than the password field) keeps the multi-line content
intact and doesn’t pollute the vault’s password-autofill UI.
§What yui doesn’t try to do
- Drive
bw login/op signin. Those are interactive flows the user runs once per machine; yui just calls the CLI on the assumption it’s already authenticated. - Manage vault TOTP / passkey enrolment. Those live in the vault provider’s own UI.
- Encrypt the X25519 a second time. The vault’s own at-rest encryption is the trust boundary.
Traits§
- Vault
- Common interface for “fetch a Secure Note’s content” and
“store a Secure Note’s content” — the only two operations
secret store/secret unlockneed.
Functions§
- driver
- Build a vault driver from the user’s config.