Documentation Index
Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt
Use this file to discover all available pages before exploring further.
Seven secrets tools, one job each. The boundary between AI-readable and human-only is structural, not policy.This site is the single public source of truth for the secrets-management story. Each repo’s
README.md keeps only the literal commands its workflow needs; the narrative lives here.
The boundary that matters
| AI-readable (CI + dev) | Human-only | Planned |
|---|---|---|
Doppler, automation keychain, AWS Vault session, SOPS in-repo, BWS via bridge | Bitwarden vault, elevate-access keychain | OpenBao |
Which tool for which secret
| Tool | Use it for | Deep dive |
|---|---|---|
| Doppler | AI provider keys (Claude, Gemini, OpenRouter, HuggingFace); GitHub Actions secrets distributed via secrets-sync; dryvist org-level Doppler integration | doppler |
| macOS Keychain | Tiered GitHub PATs (RESTRICTED, PRIVATE, ADMIN); BWS access token; Claude Code OAuth credential | macos-keychain |
| AWS Vault | AWS credentials per Terraform root (one profile per root) | aws-vault |
| Mozilla SOPS | Encrypted Terraform / Ansible vars committed to git; initial-bootstrap passwords; internal topology | sops |
| Bitwarden vault | SSH keys, recovery codes, age-key escrow, account passwords — AI tools never reach this | bitwarden |
| BWS | Programmatic AI tokens (e.g. CLAUDE_CODE_OAUTH_TOKEN) fetched via the Python bridge | bws |
| OpenBao (planned) | Self-hosted homelab service-to-service auth | openbao |
What this section covers
Golden laws
The fifteen non-negotiables. Every other page is just an implementation of one of these.
How it fits together
Multi-diagram tour of every secret flow — CI, local dev, AI sessions.
secrets-sync architecture
How Tier 1 secrets reach 20+ GitHub repos through one workflow.
Local AI isolation
Why AI tools structurally cannot view protected token values.
Scrubbed values
Canonical placeholders for IPs, domains, usernames, and tokens in every committed file.
docs.dryvist.com.