Behavior Settings
Overview
Section titled “Overview”dotsecenv provides granular behavior settings that control how the tool handles various edge cases and error conditions.
Configuration
Section titled “Configuration”Behavior settings are configured in your ~/.config/dotsecenv/config.yaml file under the behavior section:
behavior: require_explicit_vault_upgrade: false restrict_to_configured_vaults: falseAvailable Settings
Section titled “Available Settings”require_explicit_vault_upgrade
Section titled “require_explicit_vault_upgrade”Controls whether vault format upgrades happen automatically or require explicit user action.
| Value | Behavior |
|---|---|
false (default) | Vaults are automatically upgraded to the latest format with a notice |
true | Warns about outdated format but doesn’t modify; requires dotsecenv vault upgrade |
Use case: Set to true in shared environments where you want to coordinate vault upgrades across team members.
behavior: require_explicit_vault_upgrade: trueWhen enabled, you’ll see:
dotsecenv: warning: vault "/path/to/vault" uses format v1, upgrade to v2 recommendeddotsecenv: run 'dotsecenv vault upgrade' to upgrade the vault formatrestrict_to_configured_vaults
Section titled “restrict_to_configured_vaults”Controls whether CLI -v flags can override vaults specified in the configuration file.
| Value | Behavior |
|---|---|
false (default) | CLI -v flags can specify different vaults than config |
true | CLI -v flags are ignored; only config vaults are used |
Use case: Set to true to prevent accidental use of wrong vaults in production.
behavior: restrict_to_configured_vaults: trueDefault Behaviors
Section titled “Default Behaviors”The following behaviors have sensible defaults:
| Behavior | Default | Rationale |
|---|---|---|
Flag conflicts (--last -v) | Always error | Conflicting flags should fail early |
| Secret fallback | Always allowed with warning | Supports multi-user private values |
| Identity already exists | Always warn + skip | Fingerprints are unique |
| Identity auto-add | Always warn + auto-add | Convenient default |
| Revoke unknown identity | Always warn + proceed | Revoke should complete |
| Decrypt errors | Always warn + try others | Best-effort recovery |
Secret Fallback Behavior
Section titled “Secret Fallback Behavior”When a user requests a secret but cannot access the latest value (e.g., their access was revoked), dotsecenv will:
- Attempt to decrypt older values that the user can still access
- Print a warning:
warning: returning older value for 'SECRET_NAME' (access to latest value is revoked) - Return the most recent accessible value
This allows multi-user scenarios where each user maintains their own private values.
GPG Program Configuration
Section titled “GPG Program Configuration”The GPG program path is configured explicitly:
gpg: program: PATH # Infer from system PATH (recommended) # OR program: /usr/bin/gpg # Absolute path to specific binaryExample Configurations
Section titled “Example Configurations”Development Environment
Section titled “Development Environment”approved_algorithms: - algo: RSA min_bits: 2048vault: - ~/.local/share/dotsecenv/vaultgpg: program: PATH# behavior section omitted - all defaults (permissive)Production / CI Environment
Section titled “Production / CI Environment”approved_algorithms: - algo: ECC curves: [P-384, P-521] min_bits: 384vault: - /secure/path/to/vaultbehavior: restrict_to_configured_vaults: truegpg: program: /usr/bin/gpgShared Team Environment
Section titled “Shared Team Environment”approved_algorithms: - algo: RSA min_bits: 4096vault: - ~/projects/myapp/.dotsecenv/vaultbehavior: require_explicit_vault_upgrade: true # Coordinate upgradesgpg: program: PATH