← The Store

Secrets Store

DB-first, rotatable secrets with a drift-audit gate.

RegistriesLiveNode.jsSupabaseWeb Crypto
0rotations

What it is

A managed secret store: values resolve DB-first (getSecretValue) so they rotate from an admin console with no redeploy, encrypted at rest, and a classified inventory ledger gates every token against the code that uses it via the secrets:audit check.

Take it with you

A portable spec of this system — copy or download it, code paths and all.

Where it lives

  • src/lib/secrets/registry.mjs
  • src/lib/secrets/store.js
  • src/lib/secrets/inventory.mjs
  • src/app/platform/secrets/

See it in action

Architecture map

FAQ

Why resolve secrets DB-first?

Reading the value from the database first means a key can be rotated from the admin console without a redeploy; environment variables remain a boot-time fallback.

What stops a secret from drifting?

A classified inventory ledger lists every token; the secrets:audit gate scans code and workflows against it and fails when something is referenced but unclassified, or classified but unused.

Part of these stacks

Related systems

Add-ons RegistryOne catalog that powers the marketplace and the public tools page.Utilities RegistrySixty-plus client-side browser tools, each its own SEO page.Command RegistryOne declarative list of every destination and action on the site.

Explore the full catalog →

Want a system like this built for you?Work with me →