Skip to content
Kitsy Docs Open CNOS
Kitsy Docs

Security

Security

CNOS secret rules:

  • repo files store refs, not plaintext secret material
  • local vault material is encrypted outside the repo
  • reads are masked by default
  • browser and public outputs never expose secret.*
  • vault auth manages session-based access to local vaults