VibeVault logo
VibeVault
Windows-first secret hygiene

Remove plaintext secrets from your repo.Keep the AI workflow fast.

Start the env demo
developer@workspace:~/app
Scan phase
Find secrets before teammates or AI tools read them.
Guided command windowstep 1 of 4
>
Inspecting .env, appsettings.json, docker-compose.yaml, and secrets.yaml
13 findings detected across 4 files
Findings saved to .vibevault/findings.json for review
Use `Next` to step through the workflow at your own pace.
Try Yourself
Scan status
Find secrets before teammates or AI tools read them.
Files scanned41
Risky values13
Ignored by policy6
DPAPI vault

Secrets stay tied to the current Windows user instead of the workspace.

S3 recovery lane

Backup and restore flows can keep a shared remote path ready.

Why You Need It

Agents can read files. VibeVault changes what they see.

Plaintext repo in. Placeholder repo out. Real secrets stay encrypted until runtime.

Raw env

Repo has live keys.

JWT_SECRET=prod-secret
Agent read

Agent keeps context.

read .env -> reuse
Leak path

Commit, prompt, or tool log.

git / registry / log
VibeVault
sanitize + vault
VibeVault logo
VibeVault
Secret in. Safe repo out.
Raw secret
DATABASE_URL=postgres://demo:secret@db
Sanitized repo
DATABASE_URL=REDACTED::DATABASE_URL
Encrypted vault
dpapi:84af-1cc2-4e5f-8a3b-9d2c1f0a5678
Agents see
REDACTED::DATABASE_URL
Vault keeps
dpapi:84af-1cc2...
Safe repo

Only placeholders stay visible.

JWT_SECRET=REDACTED::JWT_SECRET
Real vault

Real value stays encrypted.

dpapi:9dc1...
Run + backup

Inject on run, back up to S3.

s3://team-bucket/...
Product posture

Sanitize first. Run later. Recover when you need to.

The product is built around one rule: never let the workspace carry the real secret any longer than it has to.

Plaintext secrets should leave the workspace after sanitization.

Vault values stay encrypted with Windows DPAPI for the current user.

Runtime injection avoids writing decrypted secrets back to files.

Backup metadata and restore flows preserve a recovery path.

1
Scan
.env + config files
2
Scrub
typed placeholders
3
Vault
DPAPI encrypted
4
Run
memory injection
vibevault sanitize --backup-storage s3 --backup-location s3://team-bucket/vibevault/backups
Command surface
CLI-first workflow
Scan, sanitize, vault, run, backup, restore, and manage an S3 connection from one command surface.
Windows app
Desktop preview included
A WPF app already covers dashboard, scanner, sanitizer planning, vault browsing, restore, settings, and command execution flows.
Backup model
Recovery stays built in
Local backup storage works out of the box, and the shared S3 lane keeps a remote recovery option ready when teams need it.
Editable env demo

Edit a `.env` file, sanitize it, then run the project with secrets hidden from logs.

The demo is now start-driven instead of passive: change the env file, trigger detection, inspect the sanitized version, then watch the runtime injection window show how `vibevault run` keeps logs clean.

Edit
Detect
Sanitize
Run
Editable .env demo

Edit the `.env` content, then start the demo to watch detection, sanitize output, and the runtime injection flow.

Editable .env
4 secrets detected
DATABASE_URL
JWT_SECRET
API_KEY
SMTP_PASSWORD
Sanitized version
Repo-safe output
Make changes in the `.env` editor, then click `Start demo` to run detection and sanitize.
Desktop status board
Scanner, vault, backups, and settings in one Windows preview.
WPF preview
Dashboard screenshot
The current desktop build already has a real dashboard, not a placeholder shell.
Current GUI
VibeVault desktop dashboard screenshot
Dashboard status and workspace banner
Scanner, sanitizer, backups, and settings flows
Desktop guide now includes the full screenshot gallery
Desktop flow

A control surface for teammates who should not need the terminal.

The desktop app is not a static mock. It already covers dashboard status, scanner results, sanitizer planning, vault browsing, command execution, and backup restore workflows.

Dashboard snapshot

Counts secrets and backups across common profiles and can reflect local plus S3 backup availability.

Restore-oriented backup manager

Restore flows are wired today, which makes the desktop app useful even while delete actions still lag.

Shared S3 connection settings

Teams can configure, test, and inspect the current user's backup connection without leaving the app.

Open desktop guide
Docs and install guide

A detailed docs route now covers download, install, usage, and the demo flow.

Instead of hiding the setup in scattered markdown files, the landing app now links to a full docs page with source-first install guidance, command sequences, desktop notes, recovery flows, and demo instructions.

The build works today, but it is not published as a public installer yet.

Use the shared repo or archive, then build from the root workspace.

Run the included PowerShell script to link the CLI globally.

Walk through the real command flow with profiles, backups, and demo scripts.

Read the open-source plan for after the hackathon stages.

Read the docs page
Documentation
Introduction
Download
Installation
How It Works
S3 Setup
Demo
Desktop
Backups
Installation
Source-first setup for the current hackathon build.
Detailed route
>npm install
>npm run build
>.\scripts\setup-global.ps1
>vibevault --version
>vibevault vault init
Download

Use the shared repo or archive snapshot for now. The public package is not released yet.

Use

Follow the docs flow for sanitize, vault, run, and backup.

FAQ

Frequently asked before a team rolls this into a real workflow.

The answers below stay close to the current repo state so the marketing layer does not drift away from the implementation.

Current repo snapshot

CLI ready. Desktop preview usable. Docs and demo flow now included.

The next public-facing step is not more mockups. It is hardening the build, keeping the docs current, and preparing the best parts for open-source release after the hackathon stages conclude.

Read the docs