Proof-of-concept: encrypted repo-native secrets for developer teams
Project description
Yoink
Lean, repo-native secrets for developer teams.
Encrypted secrets live in your repo. Developers decrypt only what they have access to.
Requirements
- Python 3.9+
- age (
brew install age) - Git
Install
pip install yoink-py
Commands
yoink secrets Edit all secrets in $EDITOR
yoink access edit Review members and requests in $EDITOR
yoink access request Request access to the vault (new developers)
yoink run <env> -- <cmd> Run a command with secrets injected
Quick start
cd your-repo
yoink secrets # bootstraps vault on first run, then opens editor
The vault is created in .yoink/ with dev, staging, and production environments.
Two vault-wide recovery keys are printed once — back them up in your team password manager.
Secrets editor
yoink secrets opens a buffer like:
[dev]
DATABASE_URL=postgres://localhost/mydb
API_KEY=sk_test_abc
[staging]
DATABASE_URL=postgres://staging/mydb
[production]
DATABASE_URL=postgres://prod/mydb
- Edit values inline
- Add a key to add it
- Delete a line to remove a secret
- Add a new
[environment]header to create a new environment - Save and quit — changes are applied
Access editor
yoink access edit opens a buffer like:
## members
jack dev staging production
sarah dev staging
## requests
bob dev staging
- Edit the environment list on a member line to change their access
- Delete a member line to revoke their access
- Move a request line above
## requeststo approve it - Delete a request line to reject it
- Save and quit — changes are applied
New developer workflow
yoink access request # generates keypair, writes .yoink/requests/<you>.json
git add .yoink/requests/<you>.json
git commit -m "access request: <you>"
# open a PR
A maintainer pulls the PR and runs yoink access edit. Moving your line above
## requests and saving approves you. The vault files are re-encrypted to include
your key.
How it works
- Secrets are encrypted with age and stored as
.encfiles in.yoink/ - Each developer has an identity keypair in
~/.yoink/ - The manifest (
manifest.json) tracks who has access to what - Re-encryption happens automatically when access changes
Limitations
- Git history is immutable — revoking access doesn't erase past exposure
- No runtime audit — who decrypted what and when is not tracked
- Best for small-to-medium teams
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file yoink_py-0.1.0.tar.gz.
File metadata
- Download URL: yoink_py-0.1.0.tar.gz
- Upload date:
- Size: 13.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1d2b587933115c50e0e3e765a08ee9c8196e297f492b6c57dac4a8ede71aece9
|
|
| MD5 |
93f5255fe165b82637c3a0950e341f19
|
|
| BLAKE2b-256 |
7812ed8383e72b513f47ca1a19331cd3ab9b1bfe69b6469aed7222c453515153
|
File details
Details for the file yoink_py-0.1.0-py3-none-any.whl.
File metadata
- Download URL: yoink_py-0.1.0-py3-none-any.whl
- Upload date:
- Size: 14.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e055f9bb1a1cd7861b4a939ea7ef958047747112af141217ea55c87b0357f5bb
|
|
| MD5 |
b28fabc6ff801a8910ab7caed3f581f7
|
|
| BLAKE2b-256 |
a2f1efa9684d7ead4b8e554faf039ba866775fd18adcc1487da04773299be0f8
|
