vaulter 1.0.1 → 1.0.5

package/README.md

@@ -6,32 +6,31 @@
 
 **One CLI to manage all your environment variables.**
 
-</div>
-
-## Installation
+[![npm version](https://img.shields.io/npm/v/vaulter.svg?style=flat-square&color=F5A623)](https://www.npmjs.com/package/vaulter)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.0+-3178C6?style=flat-square&logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
+[![Node.js](https://img.shields.io/badge/Node.js-22+-339933?style=flat-square&logo=node.js&logoColor=white)](https://nodejs.org/)
+[![MCP](https://img.shields.io/badge/MCP-Claude_AI-7C3AED?style=flat-square&logo=anthropic&logoColor=white)](https://modelcontextprotocol.io/)
+[![License](https://img.shields.io/npm/l/vaulter.svg?style=flat-square&color=007AFF)](https://github.com/forattini-dev/vaulter/blob/main/LICENSE)
 
-### One-liner (recommended)
+Store secrets anywhere: AWS S3, MinIO, R2, Spaces, B2, or local filesystem.
+<br>
+AES-256-GCM encryption. RSA/EC hybrid encryption. Native K8s, Helm & Terraform integration.
 
-```bash
-curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
-```
+[Quick Start](#quick-start) · [Security](#security) · [CI/CD](#cicd) · [Commands](#commands)
 
-### npm
+</div>
 
-```bash
-npm install -g vaulter
-```
+---
 
-### Specific version
+## Installation
 
 ```bash
-VAULTER_VERSION=v1.0.0 curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
-```
-
-### Custom directory
+# One-liner (recommended)
+curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
 
-```bash
-VAULTER_DIR=/usr/local/bin curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
+# Or via npm/pnpm
+npm install -g vaulter
+pnpm add -g vaulter
 ```
 
 ## Quick Start
@@ -41,10 +40,7 @@ VAULTER_DIR=/usr/local/bin curl -fsSL https://raw.githubusercontent.com/forattin
 vaulter init
 
 # Set secrets (encrypted, synced to backend)
-vaulter set DATABASE_URL="postgres://localhost/mydb" API_KEY="sk-secret-key" -e dev
-
-# Set configs (plain text in split mode, synced in unified mode)
-vaulter set PORT::3000 LOG_LEVEL::debug -e dev
+vaulter set DATABASE_URL="postgres://localhost/mydb" -e dev
 
 # Export to shell
 eval $(vaulter export -e dev)
@@ -55,1038 +51,476 @@ vaulter k8s:secret -e prd | kubectl apply -f -
 
 ---
 
-<div align="center">
-
-[![npm version](https://img.shields.io/npm/v/vaulter.svg?style=flat-square&color=F5A623)](https://www.npmjs.com/package/vaulter)
-[![TypeScript](https://img.shields.io/badge/TypeScript-5.0+-3178C6?style=flat-square&logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
-[![Node.js](https://img.shields.io/badge/Node.js-22+-339933?style=flat-square&logo=node.js&logoColor=white)](https://nodejs.org/)
-[![License](https://img.shields.io/npm/l/vaulter.svg?style=flat-square&color=007AFF)](https://github.com/forattini-dev/vaulter/blob/main/LICENSE)
-
-Store secrets anywhere: AWS S3, MinIO, R2, Spaces, B2, or local filesystem.
-<br>
-AES-256-GCM encryption. Native K8s, Helm & Terraform integration.
-<br>
-MCP server for Claude AI. Zero config for dev, production-ready.
-
-[📖 Documentation](#configuration) · [🔧 CLI](#commands) · [🚀 Highlights](#highlights)
-
-</div>
-
----
-
 ## Table of Contents
 
-- [Installation](#installation)
-- [Quick Start](#quick-start)
-- [What's Inside](#whats-inside)
-- [Highlights](#highlights)
-- [Commands](#commands)
+- [Why Vaulter?](#why-vaulter)
+- [Security](#security)
+- [Daily Use](#daily-use)
+- [CI/CD](#cicd)
 - [Configuration](#configuration)
-  - [Directory Modes](#directory-modes)
-- [Backend URLs](#backend-urls)
-- [Encryption](#encryption)
-- [Running Commands](#running-commands)
-  - [Shell Scripts](#shell-scripts)
-  - [Interactive Tools](#interactive-tools)
 - [Integrations](#integrations)
-  - [kubectl](#kubectl)
-  - [Helm & Helmfile](#helm--helmfile)
-  - [Terraform & Terragrunt](#terraform--terragrunt)
 - [Monorepo Support](#monorepo-support)
-  - [NX Monorepo](#nx-monorepo)
-  - [Turborepo](#turborepo)
-- [MCP Server](#mcp-server)
-  - [MCP Tools](#mcp-tools-14)
-  - [MCP Resources](#mcp-resources-5)
-  - [MCP Prompts](#mcp-prompts-5)
-- [CI/CD](#cicd)
-  - [Developer Daily Workflow](#developer-daily-workflow)
-  - [GitHub Actions](#github-actions)
-  - [GitLab CI](#gitlab-ci)
-  - [CircleCI](#circleci)
-  - [Azure DevOps](#azure-devops)
-- [Security Best Practices](#security-best-practices)
 - [API Usage](#api-usage)
-- [Pre-built Binaries](#pre-built-binaries)
+- [MCP Server](#mcp-server)
 
 ---
 
-## What's Inside
+## Why Vaulter?
 
-| Category | Features |
-|:---------|:---------|
-| **Backends** | AWS S3, MinIO, Cloudflare R2, DigitalOcean Spaces, Backblaze B2, FileSystem, Memory |
-| **Encryption** | AES-256-GCM via s3db.js, field-level encryption |
-| **Environments** | dev, stg, prd, sbx, dr (configurable subset) |
-| **Integrations** | Kubernetes Secret/ConfigMap, Helm values.yaml, Terraform tfvars |
-| **Monorepo** | Service discovery, batch operations, config inheritance |
-| **MCP Server** | Claude AI integration via Model Context Protocol |
-| **Unix Pipes** | Full stdin/stdout support for scripting |
-| **Dotenv** | Drop-in compatible: `import 'vaulter/load'` |
+### The Problem
 
-## Highlights
+Environment variables and secrets are scattered across `.env` files, CI/CD settings, cloud consoles, and team Slack messages. This creates:
 
-### Multi-Backend with Fallback
+- **Security gaps**: Secrets in plaintext files, git history, or shared docs
+- **Sync issues**: "Works on my machine" because `.env` files differ
+- **Deploy friction**: Manual copy-paste between environments
+- **Audit blindness**: No idea who changed what, when
 
-Configure multiple backends - vaulter tries each until one succeeds:
+### The Solution
 
-```yaml
-backend:
-  urls:
-    - s3://bucket/envs?region=us-east-1     # Primary (CI/CD)
-    - file:///home/user/.vaulter-store       # Fallback (local dev)
-```
+Vaulter centralizes all environment variables in encrypted storage (S3-compatible) while maintaining the simplicity of `.env` files:
 
-### Native Integrations
+| Traditional | With Vaulter |
+|:------------|:-------------|
+| Secrets in plaintext `.env` | Encrypted at rest (AES-256-GCM) |
+| Manual sync between devs | `vaulter pull` / `vaulter push` |
+| Copy-paste to CI/CD | `eval $(vaulter export -e prd)` |
+| No audit trail | Full history via S3 versioning |
+| Different files per machine | Single source of truth |
 
-```bash
-# Kubernetes - deploy secrets directly
-vaulter k8s:secret -e prd | kubectl apply -f -
+### Why Trust Vaulter?
 
-# Helm - generate values file
-vaulter helm:values -e prd | helm upgrade myapp ./chart -f -
+1. **Open source**: All code is auditable
+2. **No lock-in**: Your data lives in YOUR storage (S3, MinIO, R2, filesystem)
+3. **Standard encryption**: AES-256-GCM, the same used by AWS, Google, and banks
+4. **Zero external dependencies**: No SaaS, no API keys, no third-party services
+5. **Offline capable**: Works with local filesystem backend
 
-# Terraform - export as tfvars
-vaulter tf:vars -e prd > terraform.tfvars
-```
+---
 
-### Unix Pipes
+## Security
 
-```bash
-# Import from Vault
-vault kv get -format=json secret/app | \
-  jq -r '.data.data | to_entries | .[] | "\(.key)=\(.value)"' | \
-  vaulter sync -e prd
-
-# Export to kubectl
-vaulter export -e prd --format=env | \
-  kubectl create secret generic myapp --from-env-file=/dev/stdin
-```
+### Encryption Model
 
-### MCP Server for Claude
+Every secret is encrypted **before** leaving your machine using **AES-256-GCM**:
 
-```bash
-# Start MCP server
-vaulter mcp
 ```
-
-```json
-{
-  "mcpServers": {
-    "vaulter": {
-      "command": "npx",
-      "args": ["vaulter", "mcp"]
-    }
-  }
-}
+┌─────────────────────────────────────────────────────────────┐
+│                     Your Machine                            │
+│                                                             │
+│  .env file ──► vaulter encrypt ──► encrypted blob ──► S3   │
+│               (AES-256-GCM)         (unreadable)           │
+│                                                             │
+│  S3 ──► encrypted blob ──► vaulter decrypt ──► .env file   │
+│         (unreadable)       (AES-256-GCM)                   │
+└─────────────────────────────────────────────────────────────┘
 ```
 
-### Dotenv Compatible
+**What this means:**
+- The backend (S3, MinIO, etc.) only sees encrypted data
+- Even with S3 access, secrets are unreadable without the key
+- Each value is encrypted individually (field-level encryption)
+- Authenticated encryption prevents tampering (GCM mode)
 
-Drop-in replacement for dotenv - works with your existing setup:
+### Key Management
 
-```typescript
-// Auto-load .env into process.env
-import 'vaulter/load'
+Vaulter stores keys in `~/.vaulter/` directory (outside project) for security:
 
-// Or programmatically with options
-import { loader } from 'vaulter'
-loader({ path: '.env.local', override: true })
+```
+~/.vaulter/
+├── projects/
+│   └── <project-name>/
+│       └── keys/
+│           ├── master           # Private key (mode 600)
+│           └── master.pub       # Public key (mode 644)
+└── global/
+    └── keys/                    # Shared across all projects
+        ├── shared
+        └── shared.pub
 ```
 
-## Commands
-
-### Core
-
-| Command | Description | Example |
-|:--------|:------------|:--------|
-| `init` | Initialize project | `vaulter init` |
-| `get <key>` | Get a variable | `vaulter get DATABASE_URL -e prd` |
-| `set KEY=val ...` | Set secrets (batch) | `vaulter set KEY1=v1 KEY2=v2 -e prd` |
-| `set KEY::val ...` | Set configs (plain) | `vaulter set PORT::3000 HOST::0.0.0.0 -e dev` |
-| `delete <key>` | Delete a variable | `vaulter delete OLD_KEY -e dev` |
-| `list` | List all variables | `vaulter list -e prd` |
-| `export` | Export for shell | `eval $(vaulter export -e dev)` |
-
-### Sync
-
-| Command | Description | Example |
-|:--------|:------------|:--------|
-| `sync` | Merge local .env and backend | `vaulter sync -f .env.local -e dev` |
-| `pull` | Download to .env | `vaulter pull -e prd -o .env.prd` |
-| `push` | Upload from .env | `vaulter push -f .env.local -e dev` |
-
-### Integrations
-
-| Command | Description | Example |
-|:--------|:------------|:--------|
-| `k8s:secret` | Kubernetes Secret | `vaulter k8s:secret -e prd \| kubectl apply -f -` |
-| `k8s:configmap` | Kubernetes ConfigMap | `vaulter k8s:configmap -e prd` |
-| `helm:values` | Helm values.yaml | `vaulter helm:values -e prd` |
-| `tf:vars` | Terraform .tfvars | `vaulter tf:vars -e prd > terraform.tfvars` |
-| `tf:json` | Terraform JSON | `vaulter tf:json -e prd` |
-
-### Utilities
-
-| Command | Description | Example |
-|:--------|:------------|:--------|
-| `key generate` | Generate encryption key | `vaulter key generate` |
-| `services` | List monorepo services | `vaulter services` |
-| `mcp` | Start MCP server | `vaulter mcp` |
-
-### Set Command Syntax
-
-HTTPie-style separators for differentiating secrets from configs:
+#### Key Commands
 
 ```bash
-# Secrets (encrypted, synced to backend)
-vaulter set KEY=value                    # Single secret
-vaulter set A=1 B=2 C=3 -e dev           # Batch secrets
-vaulter set KEY:=123                     # Typed secret (number/boolean)
+# Generate keys
+vaulter key generate --name master                    # Symmetric key
+vaulter key generate --name master --asymmetric       # RSA-4096 key pair
+vaulter key generate --name master --asym --alg ec-p256  # EC P-256 key pair
+vaulter key generate --name shared --global           # Global key (all projects)
 
-# Configs (plain text, file only in split mode, synced in unified mode)
-vaulter set PORT::3000 HOST::localhost   # Configs
+# List and show keys
+vaulter key list                      # List all keys (project + global)
+vaulter key show --name master        # Show key details
 
-# With metadata
-vaulter set DB_URL=postgres://... @tag:database,sensitive @owner:backend -e prd
+# Export/import for deployment
+vaulter key export --name master -o keys.enc    # Export encrypted bundle
+vaulter key import -f keys.enc                  # Import on another machine
 
-# Legacy syntax (still works)
-vaulter set KEY "value" -e dev           # Treated as secret
+# Set VAULTER_EXPORT_PASSPHRASE to encrypt the bundle with custom passphrase
 ```
 
-| Separator | Type | Backend Sync | Encryption (backend) |
-|:----------|:-----|:-------------|:-----------|
-| `=` | Secret | ✓ | ✓ |
-| `:=` | Secret (typed) | ✓ | ✓ |
-| `::` | Config | Split: ✗ / Unified: ✓ | ✓ |
-| `@key:value` | Metadata | — | — |
+#### Configuration with key_name
 
-Note: Config files remain plain text; backend storage is encrypted for all values.
-
-## Global Options
-
-```
--p, --project <name>    Project name
--s, --service <name>    Service name (monorepos)
--e, --env <env>         Environment: dev, stg, prd, sbx, dr
--b, --backend <url>     Backend URL override
--k, --key <path|value>  Encryption key file path or raw key
--v, --verbose           Verbose output
---all                   All services (monorepo batch)
---dry-run               Preview without applying
---json                  JSON output
---force                 Skip confirmations
-```
-
-## Configuration
-
-### Basic Config
+The simplest way to use keys is via `key_name` resolution:
 
 ```yaml
 # .vaulter/config.yaml
-version: "1"
-
-project: my-project
-service: api  # optional
-
-backend:
-  # Single URL
-  url: s3://bucket/envs?region=us-east-1
-
-  # Or multiple with fallback
-  urls:
-    - s3://bucket/envs?region=us-east-1
-    - file:///home/user/.vaulter-store
-
 encryption:
-  key_source:
-    - env: VAULTER_KEY           # 1. Environment variable
-    - file: .vaulter/.key        # 2. Local file
-    - s3: s3://keys/vaulter.key  # 3. Remote S3
-
-environments:
-  - dev
-  - stg
-  - prd
-
-default_environment: dev
-```
-
-### Sync Settings
-
-Sync merges local and remote variables. Conflicts are resolved by `sync.conflict`.
-
-```yaml
-sync:
-  conflict: local   # local | remote | error
-  ignore:
-    - "PUBLIC_*"
-  required:
-    dev:
-      - DATABASE_URL
-```
-
-Notes:
-- `local` (default): Local values win on conflict, remote-only keys are pulled to local
-- `remote`: Remote values win on conflict
-- `error`: Stop sync if any conflicts are detected
-- When reading from stdin, sync only updates the backend (local file is not changed).
-
-### Directory Modes
-
-Vaulter supports two directory structures for organizing environment files:
-
-#### Unified Mode (Default)
-
-All environment files in a single directory:
-
-```
-my-project/
-├── .vaulter/
-│   ├── config.yaml
-│   └── environments/
-│       ├── dev.env        # All vars (secrets + configs)
-│       ├── stg.env
-│       └── prd.env
+  mode: asymmetric
+  asymmetric:
+    algorithm: rsa-4096
+    key_name: master           # → ~/.vaulter/projects/<project>/keys/master[.pub]
+    # Or for global key:
+    # key_name: global:master  # → ~/.vaulter/global/keys/master[.pub]
 ```
 
-#### Split Mode
+#### Legacy Key Sources (still supported)
 
-Separate directories for configs (committable) and secrets (gitignored):
-
-```
-my-project/
-├── .vaulter/
-│   └── config.yaml
-└── deploy/
-    ├── configs/           # ✅ Committable (non-sensitive)
-    │   ├── dev.env        # NODE_ENV, PORT, LOG_LEVEL
-    │   ├── stg.env
-    │   └── prd.env
-    └── secrets/           # ❌ Gitignored (sensitive)
-        ├── dev.env        # DATABASE_URL, JWT_SECRET
-        ├── stg.env
-        └── prd.env
-```
-
-Configure split mode in `config.yaml`:
+You can also specify explicit key sources:
 
 ```yaml
-directories:
-  mode: split              # "unified" (default) or "split"
-  configs: deploy/configs  # Non-sensitive vars (committable)
-  secrets: deploy/secrets  # Sensitive vars (gitignored)
+encryption:
+  key_source:
+    - env: VAULTER_KEY           # 1. Environment variable (CI/CD)
+    - file: .vaulter/.key        # 2. Local file (development)
+    - s3: s3://keys/vaulter.key  # 3. Remote S3 (shared teams)
 ```
 
-Tip: scaffold split mode with `vaulter init --split`.
-
-**Behavior in split mode:**
-- `sync`, `pull`, `push` operate on the **secrets** directory
-- `k8s:secret` reads from local **secrets** file (no backend fetch)
-- `k8s:configmap` reads from local **configs** file (no backend fetch)
-- Configs are managed via git, secrets via vaulter
-
-**When to use split mode:**
-- Monorepos with deploy directories per service
-- Teams that want configs reviewed in PRs
-- Environments where non-sensitive configs should be in git
+##### Option 1: Environment Variable (Recommended for CI/CD)
 
-### Hooks
+```bash
+# Generate a key
+vaulter key generate --name master
 
-```yaml
-hooks:
-  pre_sync: "echo pre sync"
-  post_sync: "echo post sync"
-  pre_pull: "echo pre pull"
-  post_pull: "echo post pull"
+# Set in CI/CD secrets from the generated key
+export VAULTER_KEY=$(cat ~/.vaulter/projects/myproject/keys/master)
 ```
 
-### Environment Variable Expansion
+**Pros**: Key never in project directory, rotates easily via CI/CD secret rotation
+**Use case**: GitHub Actions, GitLab CI, Jenkins
 
-Config values support `${VAR}`, `${VAR:-default}`, and `$VAR`:
+##### Option 2: key_name Resolution (Recommended for Development)
 
 ```yaml
-backend:
-  url: s3://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@bucket/envs
-  # Or
-  url: ${VAULTER_BACKEND_URL}
+encryption:
+  mode: asymmetric
+  asymmetric:
+    key_name: master    # Auto-resolves to ~/.vaulter/projects/<project>/keys/
 ```
 
-### Local Override (config.local.yaml)
+**Pros**: Simple, keys stored securely outside project
+**Use case**: Local development, team workflows
 
-For credentials that should **never** be committed:
+##### Option 3: Remote S3 (Team Shared)
 
 ```yaml
-# .vaulter/config.local.yaml (gitignored)
-backend:
-  url: s3://real-key:real-secret@bucket/envs?region=us-east-1
+encryption:
+  key_source:
+    - s3: s3://company-keys/vaulter/project.key?region=us-east-1
 ```
 
-## Backend URLs
-
-| Provider | URL Format |
-|:---------|:-----------|
-| **AWS S3** | `s3://bucket/path?region=us-east-1` |
-| **AWS S3 + Profile** | `s3://bucket/path?region=us-east-1&profile=myprofile` |
-| **AWS S3 + Credentials** | `s3://${KEY}:${SECRET}@bucket/path` |
-| **MinIO** | `http://${KEY}:${SECRET}@localhost:9000/bucket` |
-| **Cloudflare R2** | `https://${KEY}:${SECRET}@${ACCOUNT}.r2.cloudflarestorage.com/bucket` |
-| **DigitalOcean Spaces** | `https://${KEY}:${SECRET}@nyc3.digitaloceanspaces.com/bucket` |
-| **Backblaze B2** | `https://${KEY}:${SECRET}@s3.us-west-002.backblazeb2.com/bucket` |
-| **FileSystem** | `file:///path/to/storage` |
-| **Memory** | `memory://bucket-name` |
-
-## Encryption
-
-All secrets are encrypted with **AES-256-GCM** before storage.
+**Pros**: Centralized key management, IAM-controlled access
+**Use case**: Teams, multiple developers needing same key
 
-### Key Sources
+### Asymmetric Key Encryption (RSA/EC)
 
-```bash
-# 1. Environment variable (CI/CD)
-export VAULTER_KEY="base64-encoded-32-byte-key"
-vaulter export -e prd
-
-# 2. Local file (development)
-vaulter key generate -o .vaulter/.key
-
-# 3. Remote S3 (production)
-# Configured in config.yaml
-```
+For enhanced security with separate encrypt/decrypt permissions, Vaulter supports hybrid encryption using RSA or Elliptic Curve key pairs.
 
-You can also pass a key directly:
+#### How It Works
 
-```bash
-vaulter list -e prd --key .vaulter/.key
 ```
-
-### Security Settings
-
-```yaml
-security:
-  paranoid: true  # Fail if no encryption key is found
-  auto_encrypt:
-    patterns:
-      - "*_KEY"
-      - "*_SECRET"
-      - "DATABASE_URL"
+┌────────────────────────────────────────────────────────────────┐
+│                     Hybrid Encryption                          │
+│                                                                │
+│  Your secret ──► AES-256-GCM ──► Encrypted data               │
+│                      │                                         │
+│                      │ (random AES key)                        │
+│                      ▼                                         │
+│  Public key ──► RSA/EC encrypt ──► Encrypted AES key          │
+│                                                                │
+│  Stored: { encrypted_key + encrypted_data + metadata }        │
+│                                                                │
+│  Decryption requires: Private key + Encrypted blob            │
+└────────────────────────────────────────────────────────────────┘
 ```
 
-`auto_encrypt.patterns` is used to classify secrets for integrations (K8s/Helm).
-
-## Running Commands
-
-Load environment variables into any command using `eval $(vaulter export)`.
-
-### Shell Scripts
-
-```bash
-# Run a script with environment variables
-eval $(vaulter export -e dev) ./myscript.sh
-
-# Or in two steps
-eval $(vaulter export -e dev)
-./myscript.sh
+**Benefits:**
+- **Separation of duties**: Public key can only encrypt, private key can decrypt
+- **CI/CD security**: Give CI/CD only the public key - it can write but not read secrets
+- **Production isolation**: Only production has the private key for decryption
 
-# One-liner with subshell (vars don't persist after)
-(eval $(vaulter export -e prd) && ./deploy.sh)
-
-# Using env command (cleaner syntax)
-env $(vaulter export -e dev --format=shell) ./myscript.sh
-```
-
-### Interactive Tools
+#### Generate Key Pair
 
 ```bash
-# k9s with production credentials
-eval $(vaulter export -e prd) k9s
-
-# psql with database URL
-eval $(vaulter export -e dev) psql $DATABASE_URL
+# RSA 4096-bit (default, most compatible)
+vaulter key generate --name master --asymmetric
 
-# redis-cli
-eval $(vaulter export -e dev) redis-cli -u $REDIS_URL
+# RSA 2048-bit (faster, less secure)
+vaulter key generate --name master --asym --algorithm rsa-2048
 
-# AWS CLI with credentials
-eval $(vaulter export -e prd) aws s3 ls
+# Elliptic Curve P-256 (modern, fast)
+vaulter key generate --name master --asym --alg ec-p256
 
-# Docker run with env vars
-eval $(vaulter export -e dev) docker run --env-file <(vaulter export -e dev --format=env) myapp
+# Elliptic Curve P-384 (stronger EC)
+vaulter key generate --name master --asym --alg ec-p384
 
-# Any Node.js app
-eval $(vaulter export -e dev) node server.js
-
-# Python app
-eval $(vaulter export -e dev) python app.py
+# Global key (shared across all projects)
+vaulter key generate --name shared --global --asymmetric
 ```
 
-### Shell Alias (Recommended)
-
-Add to your `~/.bashrc` or `~/.zshrc`:
-
-```bash
-# Quick alias for common environments
-alias vdev='eval $(vaulter export -e dev)'
-alias vstg='eval $(vaulter export -e stg)'
-alias vprd='eval $(vaulter export -e prd)'
-
-# Usage
-vdev ./myscript.sh
-vprd k9s
-vstg psql $DATABASE_URL
-```
-
-### One-liner Pattern
-
-```bash
-# Pattern: eval $(vaulter export -e ENV) COMMAND
-eval $(vaulter export -e dev) npm run dev
-eval $(vaulter export -e prd) kubectl get pods
-eval $(vaulter export -e stg) terraform plan
-```
-
-## Integrations
-
-### kubectl
-
-```bash
-# Create Secret from vaulter
-vaulter k8s:secret -e prd | kubectl apply -f -
-
-# Create ConfigMap (non-secret vars)
-vaulter k8s:configmap -e prd | kubectl apply -f -
-
-# With custom name and namespace
-vaulter k8s:secret -e prd -n my-namespace --name my-app-secrets | kubectl apply -f -
-
-# Dry-run to see YAML
-vaulter k8s:secret -e prd --dry-run
-
-# Create secret from export (alternative)
-vaulter export -e prd --format=env | \
-  kubectl create secret generic myapp --from-env-file=/dev/stdin --dry-run=client -o yaml | \
-  kubectl apply -f -
-
-# Run kubectl with vaulter vars
-eval $(vaulter export -e prd) kubectl exec -it deploy/myapp -- env | grep DATABASE
+Output:
 ```
+✓ Generated rsa-4096 key pair: master
+  Private: ~/.vaulter/projects/my-project/keys/master (mode 600 - keep secret!)
+  Public:  ~/.vaulter/projects/my-project/keys/master.pub (mode 644)
 
-### Helm & Helmfile
-
-#### Helm
-
-```bash
-# Generate values.yaml and pipe to helm
-vaulter helm:values -e prd | helm upgrade myapp ./chart -f -
-
-# Save values to file
-vaulter helm:values -e prd > values.prd.yaml
-helm upgrade myapp ./chart -f values.prd.yaml
-
-# With secrets separated (uses auto_encrypt.patterns)
-vaulter helm:values -e prd --secrets  # Only secret vars
-vaulter helm:values -e prd --config   # Only non-secret vars
-
-# Install with inline values
-helm install myapp ./chart \
-  --set-string DATABASE_URL="$(vaulter get DATABASE_URL -e prd)" \
-  --set-string API_KEY="$(vaulter get API_KEY -e prd)"
+To use these keys in config.yaml:
+  encryption:
+    mode: asymmetric
+    asymmetric:
+      algorithm: rsa-4096
+      key_name: master
 ```
 
-#### Helmfile
+#### Configuration
 
 ```yaml
-# helmfile.yaml
-repositories:
-  - name: bitnami
-    url: https://charts.bitnami.com/bitnami
-
-releases:
-  - name: myapp
-    namespace: production
-    chart: ./charts/myapp
-    values:
-      - values.yaml
-      - values.prd.yaml  # Generated by: vaulter helm:values -e prd > values.prd.yaml
-```
-
-```bash
-# Generate values before helmfile sync
-vaulter helm:values -e prd > values.prd.yaml
-helmfile sync
-
-# Or use process substitution
-helmfile sync --values <(vaulter helm:values -e prd)
-
-# With environment variables for helmfile
-eval $(vaulter export -e prd) helmfile apply
-```
-
-### Terraform & Terragrunt
-
-#### Terraform
-
-```bash
-# Generate .tfvars file
-vaulter tf:vars -e prd > terraform.tfvars
-terraform plan
-
-# Generate JSON format
-vaulter tf:json -e prd > terraform.tfvars.json
-terraform plan -var-file=terraform.tfvars.json
-
-# Pass vars inline
-terraform plan \
-  -var="database_url=$(vaulter get DATABASE_URL -e prd)" \
-  -var="api_key=$(vaulter get API_KEY -e prd)"
-
-# Use TF_VAR_* environment variables
-eval $(vaulter export -e prd --format=tfvars)
-terraform plan
-
-# Pipe directly (requires bash process substitution)
-terraform plan -var-file=<(vaulter tf:vars -e prd)
-```
-
-#### Terragrunt
-
-```bash
-# Set env vars for terragrunt
-eval $(vaulter export -e prd) terragrunt plan
-
-# Generate inputs file
-vaulter tf:vars -e prd > inputs.tfvars
-terragrunt plan --terragrunt-config terragrunt.hcl
-
-# In terragrunt.hcl - use environment variables
-# terragrunt.hcl
-inputs = {
-  database_url = get_env("DATABASE_URL", "")
-  api_key      = get_env("API_KEY", "")
-}
-
-# Then run:
-eval $(vaulter export -e prd) terragrunt apply
-
-# Or with inputs file
-# terragrunt.hcl
-terraform {
-  extra_arguments "custom_vars" {
-    commands = get_terraform_commands_that_need_vars()
-    arguments = [
-      "-var-file=inputs.tfvars"
-    ]
-  }
-}
-```
-
-```bash
-# Full workflow with terragrunt
-vaulter pull -e prd                    # Get latest vars
-vaulter tf:vars -e prd > inputs.tfvars # Generate tfvars
-terragrunt plan                        # Plan with vars
-terragrunt apply                       # Apply
-```
-
-### Integration Summary
-
-| Tool | Command |
-|:-----|:--------|
-| **kubectl** | `vaulter k8s:secret -e prd \| kubectl apply -f -` |
-| **helm** | `vaulter helm:values -e prd \| helm upgrade app ./chart -f -` |
-| **helmfile** | `vaulter helm:values -e prd > values.prd.yaml && helmfile sync` |
-| **terraform** | `vaulter tf:vars -e prd > terraform.tfvars && terraform plan` |
-| **terragrunt** | `eval $(vaulter export -e prd) terragrunt apply` |
-| **any command** | `eval $(vaulter export -e ENV) COMMAND` |
-
-## Monorepo Support
-
-Vaulter auto-discovers services with `.vaulter/` directories and supports config inheritance.
-
-### NX Monorepo
-
-```
-my-nx-workspace/
-├── .vaulter/
-│   ├── config.yaml              # Shared config (backend, encryption)
-│   └── environments/
-│       └── dev.env              # Shared dev vars
-├── apps/
-│   ├── web/
-│   │   └── .vaulter/
-│   │       ├── config.yaml      # extends: ../../../.vaulter/config.yaml
-│   │       └── environments/
-│   │           └── dev.env      # App-specific vars
-│   └── api/
-│       └── .vaulter/
-│           ├── config.yaml
-│           └── environments/
-├── libs/                        # No .vaulter needed for libs
-├── nx.json
-└── package.json
-```
-
-```bash
-# From workspace root
-vaulter services                 # List: web, api
-
-# Sync all apps
-vaulter sync -e dev --all
-
-# Sync single app (from root or app dir)
-vaulter sync -e dev -s api
-cd apps/api && vaulter sync -e dev
-
-# NX run with env vars
-eval $(vaulter export -e dev -s api) && nx serve api
-```
-
-### Turborepo
-
-```
-my-turbo-monorepo/
-├── .vaulter/
-│   ├── config.yaml              # Root config
-│   └── environments/
-├── apps/
-│   ├── web/
-│   │   ├── .vaulter/
-│   │   │   ├── config.yaml      # extends: ../../../.vaulter/config.yaml
-│   │   │   └── environments/
-│   │   └── package.json
-│   └── docs/
-│       └── .vaulter/
-├── packages/                    # Shared packages (no .vaulter)
-├── turbo.json
-└── package.json
-```
-
-```bash
-# List discovered services
-vaulter services
-
-# Batch sync before turbo build
-vaulter sync -e prd --all && turbo build
-
-# Export for specific app
-cd apps/web && eval $(vaulter export -e dev)
-
-# Turbo with env passthrough (turbo.json)
-# { "pipeline": { "build": { "env": ["DATABASE_URL", "API_KEY"] } } }
-vaulter export -e prd -s web --format=shell >> apps/web/.env
-turbo build --filter=web
-```
-
-### Service Config Inheritance
+# .vaulter/config.yaml
+encryption:
+  mode: asymmetric              # Enable asymmetric mode
+  asymmetric:
+    algorithm: rsa-4096         # or rsa-2048, ec-p256, ec-p384
+    key_name: master            # Uses ~/.vaulter/projects/<project>/keys/master[.pub]
+    # Or for global keys:
+    # key_name: global:master   # Uses ~/.vaulter/global/keys/master[.pub]
+
+# Alternative: explicit key sources (for CI/CD or custom paths)
+# encryption:
+#   mode: asymmetric
+#   asymmetric:
+#     algorithm: rsa-4096
+#     public_key:
+#       - file: /path/to/master.pub
+#       - env: VAULTER_PUBLIC_KEY
+#     private_key:
+#       - file: /path/to/master
+#       - env: VAULTER_PRIVATE_KEY
+```
+
+#### Supported Algorithms
+
+| Algorithm | Key Size | Performance | Use Case |
+|:----------|:---------|:------------|:---------|
+| `rsa-4096` | 4096 bits | Slower | Maximum security, wide compatibility |
+| `rsa-2048` | 2048 bits | Medium | Good balance, legacy systems |
+| `ec-p256` | 256 bits | Fast | Modern systems, smaller keys |
+| `ec-p384` | 384 bits | Medium | Higher security EC |
+
+#### Use Case: Secure CI/CD Pipeline
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ Development                                                  │
+│   Developers have BOTH keys → can read and write secrets    │
+│   vaulter set API_KEY="..." -e dev                          │
+└──────────────────────────┬──────────────────────────────────┘
+                           │
+                           ▼
+┌─────────────────────────────────────────────────────────────┐
+│ CI/CD (GitHub Actions, Jenkins, etc.)                        │
+│   Only PUBLIC key → can write NEW secrets, cannot read      │
+│   Useful for automated secret rotation scripts              │
+│                                                             │
+│   env:                                                      │
+│     VAULTER_PUBLIC_KEY: ${{ secrets.VAULTER_PUBLIC_KEY }}   │
+└──────────────────────────┬──────────────────────────────────┘
+                           │
+                           ▼
+┌─────────────────────────────────────────────────────────────┐
+│ Production                                                   │
+│   Only PRIVATE key → can read secrets at runtime            │
+│                                                             │
+│   env:                                                      │
+│     VAULTER_PRIVATE_KEY: ${{ secrets.VAULTER_PRIVATE_KEY }} │
+│                                                             │
+│   # Application reads secrets at startup                    │
+│   eval $(vaulter export -e prd)                             │
+└─────────────────────────────────────────────────────────────┘
+```
+
+#### Environment Variables
+
+| Variable | Purpose |
+|:---------|:--------|
+| `VAULTER_PUBLIC_KEY` | Public key PEM content (for encryption) |
+| `VAULTER_PRIVATE_KEY` | Private key PEM content (for decryption) |
+
+### Advanced Security Configurations
+
+#### AWS KMS Integration (Planned)
+
+For enterprises requiring HSM-backed keys:
 
 ```yaml
-# apps/api/.vaulter/config.yaml
-extends: ../../../.vaulter/config.yaml  # Inherit root config
-
-service: api                            # Override service name
-
-# Override or add service-specific settings
-sync:
-  required:
-    prd:
-      - DATABASE_URL
-      - REDIS_URL
+encryption:
+  kms:
+    key_id: arn:aws:kms:us-east-1:123456789:key/abc-123
+    # Key never leaves AWS KMS
+    # Envelope encryption: KMS encrypts the data key
 ```
 
-### Commands
+**How it works:**
+1. Vaulter generates a data encryption key (DEK)
+2. DEK encrypts your secrets locally
+3. AWS KMS encrypts the DEK (envelope encryption)
+4. Only encrypted DEK + encrypted secrets are stored
+5. Decryption requires both KMS access AND S3 access
 
-```bash
-# List services
-vaulter services
+### Threat Model
 
-# Sync all services
-vaulter sync -e dev --all
-
-# Sync specific services (glob supported)
-vaulter sync -e dev -s api,worker
-vaulter sync -e dev -s "svc-*"
+| Threat | Protection |
+|:-------|:-----------|
+| S3 bucket breach | Data encrypted, key required |
+| Key file leaked | Rotate key, re-encrypt |
+| Man-in-middle | TLS + authenticated encryption |
+| Malicious insider | Audit logs via S3 versioning |
+| Accidental git commit | Secrets encrypted in .env |
 
-# Batch export
-vaulter export -e prd --all --format=json
-```
-
-## MCP Server
-
-Vaulter includes a full-featured **Model Context Protocol (MCP)** server for AI assistant integration. Works with Claude, ChatGPT, and any MCP-compatible client.
-
-### Quick Setup
+### Security Best Practices
 
 ```bash
-# Start MCP server
-vaulter mcp
-```
-
-Add to your Claude config (`~/.config/claude/claude_desktop_config.json`):
+# ✅ DO
+vaulter key generate                    # Random 256-bit key
+echo ".vaulter/.key" >> .gitignore      # Never commit keys
+export VAULTER_KEY="${{ secrets.KEY }}" # CI/CD secrets
 
-```json
-{
-  "mcpServers": {
-    "vaulter": {
-      "command": "npx",
-      "args": ["vaulter", "mcp"]
-    }
-  }
-}
-```
-
-Or with the binary:
-
-```json
-{
-  "mcpServers": {
-    "vaulter": {
-      "command": "/usr/local/bin/vaulter",
-      "args": ["mcp"]
-    }
-  }
-}
+# ❌ DON'T
+echo "password123" > .vaulter/.key      # Weak key
+git add .vaulter/.key                   # Exposed key
+vaulter set KEY=val --key "hardcoded"   # Key in command history
 ```
 
-### MCP Tools (14)
-
-The MCP server exposes 14 tools organized into categories:
-
-#### Core Tools
-
-| Tool | Description | Example Use |
-|:-----|:------------|:------------|
-| `vaulter_get` | Get a single variable | "Get the DATABASE_URL for production" |
-| `vaulter_set` | Set a variable with tags | "Set API_KEY to sk-xxx for dev" |
-| `vaulter_delete` | Delete a variable | "Remove the old LEGACY_KEY" |
-| `vaulter_list` | List all variables | "Show all vars in staging" |
-| `vaulter_export` | Export in various formats | "Export prod vars as JSON" |
-
-#### Sync Tools
-
-| Tool | Description | Example Use |
-|:-----|:------------|:------------|
-| `vaulter_sync` | Bidirectional sync | "Sync local .env with dev backend" |
-| `vaulter_pull` | Download from backend | "Pull production vars to .env.prd" |
-| `vaulter_push` | Upload to backend | "Push .env.local to dev" |
-
-#### Analysis Tools
-
-| Tool | Description | Example Use |
-|:-----|:------------|:------------|
-| `vaulter_compare` | Compare two environments | "What's different between stg and prd?" |
-| `vaulter_search` | Search by key pattern | "Find all vars containing DATABASE" |
-
-#### Monorepo Tools
-
-| Tool | Description | Example Use |
-|:-----|:------------|:------------|
-| `vaulter_services` | List discovered services | "What services are in this monorepo?" |
-
-#### Kubernetes Tools
-
-| Tool | Description | Example Use |
-|:-----|:------------|:------------|
-| `vaulter_k8s_secret` | Generate K8s Secret YAML | "Generate a K8s secret for prod" |
-| `vaulter_k8s_configmap` | Generate K8s ConfigMap | "Create a ConfigMap for non-secrets" |
-
-#### Setup Tools
-
-| Tool | Description | Example Use |
-|:-----|:------------|:------------|
-| `vaulter_init` | Initialize new project | "Set up vaulter in this project" |
-
-### MCP Resources (5)
-
-Resources provide read-only views of your secrets and configuration:
-
-| Resource URI | Description | Content |
-|:-------------|:------------|:--------|
-| `vaulter://config` | Project configuration | YAML from .vaulter/config.yaml |
-| `vaulter://services` | Monorepo services | JSON list of discovered services |
-| `vaulter://project/env` | Environment variables | .env format for project/env |
-| `vaulter://project/env/service` | Service-specific vars | .env format for service |
-| `vaulter://compare/env1/env2` | Environment comparison | Diff between two environments |
-
-**Example resource access:**
-- `vaulter://config` → Current config.yaml content
-- `vaulter://my-app/prd` → Production vars for my-app
-- `vaulter://compare/dev/prd` → What's different between dev and prod
-
-### MCP Prompts (5)
-
-Pre-configured workflow prompts guide AI through complex operations:
-
-| Prompt | Description | Arguments |
-|:-------|:------------|:----------|
-| `setup_project` | Initialize a new vaulter project | `project_name`, `mode?`, `backend?` |
-| `migrate_dotenv` | Migrate existing .env to vaulter | `file_path`, `environment`, `dry_run?` |
-| `deploy_secrets` | Deploy secrets to Kubernetes | `environment`, `namespace?`, `secret_name?` |
-| `compare_environments` | Compare two environments | `source_env`, `target_env`, `show_values?` |
-| `security_audit` | Audit secrets for security issues | `environment`, `strict?` |
-
-**Example prompt usage in Claude:**
-- "Use the setup_project prompt to create a new project called api-service"
-- "Run the migrate_dotenv prompt for .env.local to dev environment"
-- "Execute security_audit for production in strict mode"
-
-### MCP Capabilities Summary
-
-| Category | Count | Features |
-|:---------|------:|:---------|
-| **Tools** | 14 | CRUD, sync, compare, K8s, init |
-| **Resources** | 5 | Config, services, vars, comparison |
-| **Prompts** | 5 | Setup, migrate, deploy, compare, audit |
-| **Formats** | 5 | shell, json, yaml, env, tfvars |
-
-### Example AI Conversations
-
-**Setting up a new project:**
-> "Help me set up vaulter for my new api-service project using S3 backend"
-
-The AI will use `vaulter_init`, guide through backend config, and set up encryption.
-
-**Migrating from dotenv:**
-> "I have a .env.production file with 50 variables. Help me migrate to vaulter"
-
-The AI will analyze the file, identify secrets vs configs, and sync to backend.
-
-**Deploying to Kubernetes:**
-> "Generate Kubernetes secrets for production and show me how to deploy them"
-
-The AI will use `vaulter_k8s_secret` and provide kubectl commands.
-
-**Comparing environments:**
-> "What variables are in staging but missing from production?"
-
-The AI will use `vaulter_compare` and show the differences.
-
-**Security review:**
-> "Audit my production secrets for security issues"
-
-The AI will analyze variable patterns, check for weak values, and provide recommendations.
-
-## CI/CD
-
-### Developer Daily Workflow
+---
 
-A typical day with vaulter:
+## Daily Use
 
-#### 1. Morning Setup
+### Workflow Overview
 
 ```bash
-# Pull latest secrets to your local .env
+# Morning: sync with team's changes
 vaulter pull -e dev
 
-# Start development with loaded vars
-eval $(vaulter export -e dev) npm run dev
+# During development: add new variable
+vaulter set NEW_API_KEY="sk-xxx" -e dev
 
-# Or use the alias (add to ~/.bashrc)
-alias vdev='eval $(vaulter export -e dev)'
-vdev npm run dev
+# End of day: push changes
+vaulter push -e dev
+
+# Deploy: export to production
+vaulter k8s:secret -e prd | kubectl apply -f -
 ```
 
-#### 2. Adding New Variables
+### Commands Reference
 
-```bash
-# Add a new secret (encrypted, synced to backend)
-vaulter set NEW_API_KEY="sk-xxx" -e dev
+#### Core Commands
 
-# Add a config (plain text)
-vaulter set LOG_LEVEL::debug -e dev
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `init` | Initialize project | `vaulter init` |
+| `get <key>` | Get a variable | `vaulter get DATABASE_URL -e prd` |
+| `set KEY=val` | Set secrets (batch) | `vaulter set A=1 B=2 -e prd` |
+| `set KEY::val` | Set configs (plain) | `vaulter set PORT::3000 -e dev` |
+| `delete <key>` | Delete a variable | `vaulter delete OLD_KEY -e dev` |
+| `list` | List all variables | `vaulter list -e prd` |
+| `list --all-envs` | List across all envs | `vaulter list --all-envs` |
+| `export` | Export for shell | `eval $(vaulter export -e dev)` |
 
-# Batch add multiple vars
-vaulter set DB_HOST::localhost DB_PORT::5432 DB_PASSWORD="secret123" -e dev
+#### Sync Commands
 
-# Check what you have
-vaulter list -e dev
-```
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `sync` | Merge local and backend | `vaulter sync -e dev` |
+| `pull` | Download from backend | `vaulter pull -e prd` |
+| `push` | Upload to backend | `vaulter push -e dev` |
 
-#### 3. Syncing with Team
+#### Integration Commands
 
-```bash
-# Your teammate added new vars - pull them
-vaulter pull -e dev
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `k8s:secret` | Kubernetes Secret | `vaulter k8s:secret -e prd` |
+| `k8s:configmap` | Kubernetes ConfigMap | `vaulter k8s:configmap -e prd` |
+| `helm:values` | Helm values.yaml | `vaulter helm:values -e prd` |
+| `tf:vars` | Terraform .tfvars | `vaulter tf:vars -e prd` |
+| `scan` | Scan monorepo | `vaulter scan` |
 
-# You made changes - push to backend
-vaulter push -e dev
+### Set Command Syntax
 
-# Two-way sync (recommended)
-vaulter sync -e dev
+```bash
+# Secrets (encrypted, synced to backend)
+vaulter set KEY=value                    # Single secret
+vaulter set A=1 B=2 C=3 -e dev           # Batch secrets
+vaulter set KEY:=123                     # Typed (number/boolean)
 
-# Preview before sync
-vaulter sync -e dev --dry-run
+# Configs (plain text in split mode)
+vaulter set PORT::3000 HOST::localhost   # Configs
 ```
 
-#### 4. Testing Different Environments
-
-```bash
-# Run with staging config
-eval $(vaulter export -e stg) npm test
+| Separator | Type | Backend Sync | Encrypted |
+|:----------|:-----|:-------------|:----------|
+| `=` | Secret | ✓ | ✓ |
+| `:=` | Secret (typed) | ✓ | ✓ |
+| `::` | Config | Split: ✗ / Unified: ✓ | ✓ |
 
-# Compare what's different in production
-vaulter compare -e dev -e prd
+### Global Options
 
-# One-liner to check production
-vdev npm run dev   # dev
-vstg npm test      # stg
-vprd npm run build # prd (be careful!)
+```
+-p, --project <name>    Project name
+-s, --service <name>    Service name (monorepos)
+-e, --env <env>         Environment name (as defined in config)
+-b, --backend <url>     Backend URL override
+-k, --key <path|value>  Encryption key
+-f, --file <path>       Input file path
+-o, --output <path>     Output file path
+-n, --namespace <name>  Kubernetes namespace
+    --format <fmt>      Output format (shell/json/yaml/env/tfvars/docker-args)
+-v, --verbose           Verbose output (shows values)
+    --dry-run           Preview without applying
+    --json              JSON output
+    --force             Skip confirmations
+    --all               Apply to all services in monorepo
 ```
 
-#### 5. Before Code Review
-
-```bash
-# Make sure all required vars are documented
-vaulter list -e dev --json | jq 'keys'
+### Flexible Environment Names
 
-# Check nothing sensitive is in wrong place
-vaulter search "*PASSWORD*" -e dev
-vaulter search "*SECRET*" -e dev
-```
+Vaulter lets you define your own environment names. Use whatever convention fits your workflow:
 
-#### 6. Deployment Prep
+```yaml
+# Short names (default)
+environments: [dev, stg, prd]
 
-```bash
-# Generate K8s secret and review
-vaulter k8s:secret -e prd --dry-run
+# Full names
+environments: [development, staging, production]
 
-# Generate and apply
-vaulter k8s:secret -e prd | kubectl apply -f -
+# Custom names
+environments: [local, homolog, qa, uat, prod]
 
-# Or export for Helm
-vaulter helm:values -e prd > values.prd.yaml
-helm upgrade myapp ./chart -f values.prd.yaml
+# Brazilian pattern
+environments: [dev, homolog, prd]
 ```
 
-### Shell Aliases (Recommended)
-
-Add to `~/.bashrc` or `~/.zshrc`:
+All commands use `-e` with your custom names:
 
 ```bash
-# Quick environment loading
-alias vdev='eval $(vaulter export -e dev)'
-alias vstg='eval $(vaulter export -e stg)'
-alias vprd='eval $(vaulter export -e prd)'
-
-# Common operations
-alias vpull='vaulter pull -e dev'
-alias vpush='vaulter push -e dev'
-alias vsync='vaulter sync -e dev'
-alias vlist='vaulter list -e dev'
-
-# K8s shortcuts
-alias vk8s='vaulter k8s:secret'
-alias vhelm='vaulter helm:values'
-
-# Usage
-vdev npm run dev              # Dev with env vars
-vstg npm test                 # Test with staging
-vpull && vdev npm run dev     # Pull latest, then run
-vk8s -e prd | kubectl apply -f -  # Deploy secrets
+vaulter list -e homolog
+vaulter pull -e development
+vaulter k8s:secret -e uat | kubectl apply -f -
 ```
 
-### GitHub Actions
+---
+
+## CI/CD
 
-#### Basic Deploy Secrets
+### GitHub Actions (Quick Start)
 
 ```yaml
 name: Deploy
@@ -1100,7 +534,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Deploy secrets to K8s
+      - name: Deploy secrets to Kubernetes
         env:
           VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -1109,233 +543,437 @@ jobs:
           npx vaulter k8s:secret -e prd | kubectl apply -f -
 ```
 
-#### Multi-Environment Deploy
+### GitHub Actions (Complete Example)
 
 ```yaml
-name: Deploy to Environment
+name: Deploy to Kubernetes
 on:
+  push:
+    branches: [main, develop]
   workflow_dispatch:
     inputs:
       environment:
-        description: 'Environment to deploy'
+        description: 'Target environment'
         required: true
+        default: 'dev'
         type: choice
         options: [dev, stg, prd]
 
+env:
+  VAULTER_VERSION: '1.0.1'
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
-    environment: ${{ inputs.environment }}
+    environment: ${{ github.event.inputs.environment || (github.ref == 'refs/heads/main' && 'prd') || 'dev' }}
+
     steps:
       - uses: actions/checkout@v4
 
-      - name: Deploy secrets
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install Vaulter
+        run: npm install -g vaulter@${{ env.VAULTER_VERSION }}
+
+      - name: Configure kubectl
+        uses: azure/k8s-set-context@v4
+        with:
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+
+      - name: Deploy Secrets
         env:
           VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         run: |
-          npx vaulter k8s:secret -e ${{ inputs.environment }} | kubectl apply -f -
-          npx vaulter k8s:configmap -e ${{ inputs.environment }} | kubectl apply -f -
+          ENV=${{ github.event.inputs.environment || (github.ref == 'refs/heads/main' && 'prd') || 'dev' }}
+
+          # Deploy K8s Secret
+          vaulter k8s:secret -e $ENV -n my-namespace | kubectl apply -f -
+
+          # Deploy ConfigMap (non-sensitive config)
+          vaulter k8s:configmap -e $ENV -n my-namespace | kubectl apply -f -
+
+          # Verify deployment
+          kubectl get secret,configmap -n my-namespace
+
+      - name: Restart Deployment
+        run: |
+          kubectl rollout restart deployment/my-app -n my-namespace
+          kubectl rollout status deployment/my-app -n my-namespace --timeout=120s
 ```
 
-#### Monorepo with Matrix
+### GitHub Actions (Monorepo with Services)
 
 ```yaml
-name: Deploy Services
+name: Deploy Service
 on:
   push:
     branches: [main]
+    paths:
+      - 'apps/svc-*/**'
 
 jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      services: ${{ steps.changes.outputs.services }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: changes
+        run: |
+          # Detect which services changed
+          SERVICES=$(git diff --name-only HEAD~1 | grep '^apps/svc-' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1]')
+          echo "services=$SERVICES" >> $GITHUB_OUTPUT
+
   deploy:
+    needs: detect-changes
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        service: [api, web, worker]
+        service: ${{ fromJson(needs.detect-changes.outputs.services) }}
     steps:
       - uses: actions/checkout@v4
 
-      - name: Deploy ${{ matrix.service }} secrets
+      - name: Deploy ${{ matrix.service }}
         env:
           VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
         run: |
-          cd apps/${{ matrix.service }}
-          npx vaulter k8s:secret -e prd | kubectl apply -f -
+          # Deploy secrets for specific service
+          vaulter k8s:secret -e prd -s ${{ matrix.service }} | kubectl apply -f -
 ```
 
-#### PR Preview Environment
+### GitHub Actions (Using Binary for Speed)
 
 ```yaml
-name: PR Preview
-on:
-  pull_request:
-    types: [opened, synchronize]
+name: Deploy (Fast)
+on: [push]
 
 jobs:
-  preview:
+  deploy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Create preview secrets
+      - name: Download Vaulter Binary
+        run: |
+          curl -sL https://github.com/forattini-dev/vaulter/releases/latest/download/vaulter-linux -o vaulter
+          chmod +x vaulter
+          sudo mv vaulter /usr/local/bin/
+
+      - name: Deploy
         env:
           VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
         run: |
-          # Use dev secrets for PR previews
-          npx vaulter k8s:secret -e dev -n preview-pr-${{ github.event.number }} | \
-            kubectl apply -f -
+          vaulter k8s:secret -e prd | kubectl apply -f -
 ```
 
-#### Validate Secrets Exist
+### GitHub Actions (Matrix Deploy)
 
 ```yaml
-name: Validate Secrets
+name: Deploy All Environments
 on:
-  pull_request:
-    paths:
-      - '.vaulter/**'
-      - 'deploy/**'
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options: [dev, stg, prd]
 
 jobs:
-  validate:
+  deploy:
     runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
     steps:
       - uses: actions/checkout@v4
 
-      - name: Check required secrets exist
+      - name: Deploy secrets
         env:
           VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
         run: |
-          # List and verify required secrets are set
-          npx vaulter list -e prd --json | jq -e '.DATABASE_URL and .API_KEY'
+          npx vaulter k8s:secret -e ${{ inputs.environment }} | kubectl apply -f -
+
+      - name: Deploy configmaps
+        run: |
+          npx vaulter k8s:configmap -e ${{ inputs.environment }} | kubectl apply -f -
 ```
 
 ### GitLab CI
 
 ```yaml
 stages:
-  - validate
   - deploy
 
-variables:
-  VAULTER_KEY: $VAULTER_KEY
-
-validate-secrets:
-  stage: validate
-  script:
-    - npx vaulter list -e $CI_ENVIRONMENT_NAME --json | jq -e 'keys | length > 0'
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-
 deploy-secrets:
   stage: deploy
+  image: node:22-alpine
   script:
-    - npx vaulter k8s:secret -e prd | kubectl apply -f -
+    - npx vaulter k8s:secret -e ${CI_ENVIRONMENT_NAME} | kubectl apply -f -
   environment:
-    name: production
+    name: $CI_COMMIT_REF_NAME
   rules:
     - if: $CI_COMMIT_BRANCH == "main"
+      variables:
+        CI_ENVIRONMENT_NAME: prd
+    - if: $CI_COMMIT_BRANCH == "develop"
+      variables:
+        CI_ENVIRONMENT_NAME: dev
 ```
 
-### CircleCI
+### Jenkins Pipeline
 
-```yaml
-version: 2.1
-jobs:
-  deploy:
-    docker:
-      - image: cimg/node:20.0
-    steps:
-      - checkout
-      - run:
-          name: Deploy secrets
-          command: |
-            npx vaulter k8s:secret -e prd | kubectl apply -f -
-          environment:
-            VAULTER_KEY: ${VAULTER_KEY}
-
-workflows:
-  deploy:
-    jobs:
-      - deploy:
-          filters:
-            branches:
-              only: main
+```groovy
+pipeline {
+    agent any
+
+    environment {
+        VAULTER_KEY = credentials('vaulter-key')
+        AWS_ACCESS_KEY_ID = credentials('aws-access-key')
+        AWS_SECRET_ACCESS_KEY = credentials('aws-secret-key')
+    }
+
+    stages {
+        stage('Deploy Secrets') {
+            steps {
+                sh 'npx vaulter k8s:secret -e prd | kubectl apply -f -'
+            }
+        }
+    }
+}
+```
+
+### Docker Integration
+
+```bash
+# Recommended: Use --env-file for production (handles all values safely)
+vaulter export -e prd --format=env > .env.prd
+docker run --env-file .env.prd myapp
+
+# For simple values only: command substitution (no spaces/newlines in values)
+docker run $(vaulter export -e prd --format=docker-args) myapp
+```
+
+> **Note**: The `docker-args` format outputs `-e "KEY=VALUE"` flags. Due to shell word-splitting,
+> values containing spaces or special characters won't work correctly with `$(...)` substitution.
+> Use `--env-file` for complex values or production deployments.
+
+For `docker build` with build args, use shell format:
+
+```bash
+# Export to shell and use in build
+eval $(vaulter export -e prd)
+docker build \
+  --build-arg DATABASE_URL="$DATABASE_URL" \
+  --build-arg API_KEY="$API_KEY" \
+  -t myapp .
+```
+
+### Terraform Integration
+
+```bash
+# Generate tfvars
+vaulter tf:vars -e prd > secrets.auto.tfvars
+
+# Or inline
+terraform plan -var-file=<(vaulter tf:vars -e prd)
+```
+
+### Helm Integration
+
+```bash
+# Upgrade with secrets as values
+vaulter helm:values -e prd | helm upgrade myapp ./chart -f -
+
+# Or save to file
+vaulter helm:values -e prd > values.secrets.yaml
+helm upgrade myapp ./chart -f values.yaml -f values.secrets.yaml
+```
+
+### Shell Aliases (Development)
+
+```bash
+# Add to ~/.bashrc or ~/.zshrc
+alias vdev='eval $(vaulter export -e dev)'
+alias vstg='eval $(vaulter export -e stg)'
+alias vprd='eval $(vaulter export -e prd)'
+
+# Usage
+vdev npm run dev
+vstg npm run test:integration
 ```
 
-### Azure DevOps
+---
+
+## Configuration
+
+### Basic Config
 
 ```yaml
-trigger:
-  - main
+# .vaulter/config.yaml
+version: "1"
 
-pool:
-  vmImage: 'ubuntu-latest'
+project: my-project
+service: api  # optional, for monorepos
 
-steps:
-  - task: NodeTool@0
-    inputs:
-      versionSpec: '20.x'
-
-  - script: |
-      npx vaulter k8s:secret -e prd | kubectl apply -f -
-    displayName: 'Deploy secrets'
-    env:
-      VAULTER_KEY: $(VAULTER_KEY)
-      AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
-      AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
+backend:
+  url: s3://bucket/envs?region=us-east-1
+  # Or multiple with fallback
+  urls:
+    - s3://bucket/envs?region=us-east-1
+    - file:///home/user/.vaulter-store
+
+encryption:
+  key_source:
+    - env: VAULTER_KEY
+    - file: .vaulter/.key
+
+environments:
+  - dev
+  - stg
+  - prd
+
+default_environment: dev
+```
+
+### Directory Modes
+
+#### Unified Mode (Default)
+
+```
+my-project/
+├── .vaulter/
+│   ├── config.yaml
+│   └── environments/
+│       ├── dev.env
+│       ├── stg.env
+│       └── prd.env
+```
+
+#### Split Mode
+
+Separates configs (committable) from secrets (gitignored):
+
+```
+my-project/
+├── .vaulter/config.yaml
+└── deploy/
+    ├── configs/           # ✅ Committable (PORT, HOST, LOG_LEVEL)
+    │   ├── dev.env
+    │   └── prd.env
+    └── secrets/           # ❌ Gitignored (DATABASE_URL, API_KEY)
+        ├── dev.env
+        └── prd.env
+```
+
+```yaml
+directories:
+  mode: split
+  configs: deploy/configs
+  secrets: deploy/secrets
 ```
 
-### CI/CD Best Practices
+Initialize with: `vaulter init --split`
+
+### Backend URLs
+
+| Provider | URL Format |
+|:---------|:-----------|
+| AWS S3 | `s3://bucket/path?region=us-east-1` |
+| AWS S3 + Profile | `s3://bucket/path?profile=myprofile` |
+| MinIO | `http://KEY:SECRET@localhost:9000/bucket` |
+| Cloudflare R2 | `https://KEY:SECRET@ACCOUNT.r2.cloudflarestorage.com/bucket` |
+| DigitalOcean Spaces | `https://KEY:SECRET@nyc3.digitaloceanspaces.com/bucket` |
+| Backblaze B2 | `https://KEY:SECRET@s3.us-west-002.backblazeb2.com/bucket` |
+| FileSystem | `file:///path/to/storage` |
+| Memory | `memory://bucket-name` |
+
+---
+
+## Integrations
+
+### Kubernetes
 
-| Practice | Recommendation |
-|:---------|:---------------|
-| **Store VAULTER_KEY securely** | Use CI provider's secret management |
-| **Use IAM roles when possible** | Prefer roles over hardcoded credentials |
-| **Different keys per environment** | Don't share prd key with dev |
-| **Validate before deploy** | Run `--dry-run` first in pipelines |
-| **Use environment protection** | Require approval for prd deploys |
-| **Cache vaulter binary** | Download once per pipeline, not per job |
+```bash
+# Deploy Secret
+vaulter k8s:secret -e prd -n my-namespace | kubectl apply -f -
+
+# Deploy ConfigMap
+vaulter k8s:configmap -e prd | kubectl apply -f -
+```
 
-### Caching Vaulter Binary
+Note: Custom secret/configmap names are configured in `.vaulter/config.yaml`:
 
 ```yaml
-# GitHub Actions
-- uses: actions/cache@v3
-  with:
-    path: ~/.npm
-    key: vaulter-${{ runner.os }}
-
-# Or use the installer script
-- name: Install vaulter
-  run: |
-    curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
-    echo "$HOME/.local/bin" >> $GITHUB_PATH
+integrations:
+  kubernetes:
+    secret_name: my-app-secrets
+    configmap_name: my-app-config
+```
+
+### Helm
+
+```bash
+# Pass as values
+vaulter helm:values -e prd | helm upgrade myapp ./chart -f -
+
+# Save to file
+vaulter helm:values -e prd > values.secrets.yaml
+```
+
+### Terraform
+
+```bash
+# Generate tfvars
+vaulter tf:vars -e prd > terraform.tfvars
+
+# Generate JSON
+vaulter tf:json -e prd > terraform.tfvars.json
+```
+
+---
+
+## Monorepo Support
+
+Vaulter auto-detects all major monorepo tools:
+
+| Tool | Detection File | Workspace Config |
+|:-----|:---------------|:-----------------|
+| NX | `nx.json` | `workspaceLayout` |
+| Turborepo | `turbo.json` | Uses pnpm/yarn workspaces |
+| Lerna | `lerna.json` | `packages` array |
+| pnpm | `pnpm-workspace.yaml` | `packages` array |
+| Yarn | `package.json` | `workspaces` field |
+| Rush | `rush.json` | `projects[].projectFolder` |
+
+### Scan Command
+
+```bash
+# Discover all packages
+vaulter scan
+
+# Output:
+# Monorepo: NX
+# Found 17 package(s):
+#   ✓ Initialized: 3
+#   ○ Not initialized: 14
+#   📄 With .env files: 11
 ```
 
-## Security Best Practices
-
-| Practice | How |
-|:---------|:----|
-| Never commit credentials | Use `config.local.yaml` or env vars |
-| Never commit encryption keys | Add `.vaulter/.key` to `.gitignore` |
-| Use env var expansion | `${AWS_ACCESS_KEY_ID}` instead of hardcoding |
-| Use AWS credential chain | No credentials in URL, use IAM roles |
-| Separate keys per environment | Different keys for dev/stg/prd |
-| Restrict S3 bucket access | IAM policies to limit readers |
-
-### Files to .gitignore
-
-```gitignore
-.vaulter/.key
-.vaulter/config.local.yaml
-**/config.local.yaml
-deploy/secrets/
-.env
-.env.*
+### Batch Operations
+
+```bash
+# Sync all services
+vaulter sync -e dev --all
+
+# Sync specific services
+vaulter sync -e dev -s api,worker
 ```
 
+---
+
 ## API Usage
 
 ```typescript
@@ -1346,93 +984,114 @@ const client = new VaulterClient({ config })
 
 await client.connect()
 
-// Get
+// CRUD operations
 const value = await client.get('DATABASE_URL', 'my-project', 'prd')
+await client.set({ key: 'API_KEY', value: 'sk-xxx', project: 'my-project', environment: 'prd' })
+const vars = await client.list({ project: 'my-project', environment: 'prd' })
 
-// Set
-await client.set({
-  key: 'API_KEY',
-  value: 'sk-secret',
-  project: 'my-project',
-  environment: 'prd'
-})
+await client.disconnect()
+```
 
-// List
-const vars = await client.list({
-  project: 'my-project',
-  environment: 'prd'
-})
+### Dotenv Compatible
 
-// Export
-const envVars = await client.export('my-project', 'prd')
+```typescript
+// Auto-load .env into process.env
+import 'vaulter/load'
 
-await client.disconnect()
+// Or with options
+import { loader } from 'vaulter'
+loader({ path: '.env.local', override: true })
 ```
 
-## Comparison
-
-| Feature | vaulter | dotenv | doppler | vault |
-|:--------|:-------:|:------:|:-------:|:-----:|
-| Multi-backend | ✅ | ❌ | ❌ | ❌ |
-| Encryption | AES-256-GCM | ❌ | ✅ | ✅ |
-| K8s integration | Native | ❌ | Plugin | Plugin |
-| Self-hosted | ✅ | N/A | ❌ | ✅ |
-| Monorepo | Native | ❌ | Limited | ❌ |
-| MCP/AI | ✅ | ❌ | ❌ | ❌ |
-| Complexity | Low | Low | Medium | High |
-
-## Numbers
-
-| Metric | Value |
-|:-------|:------|
-| Backends | 7 (S3, MinIO, R2, Spaces, B2, FileSystem, Memory) |
-| Environments | 5 (dev, stg, prd, sbx, dr) |
-| Export Formats | 5 (shell, json, yaml, env, tfvars) |
-| MCP Tools | 14 (core, sync, analysis, monorepo, k8s, setup) |
-| MCP Resources | 5 (config, services, vars, service vars, compare) |
-| MCP Prompts | 5 (setup, migrate, deploy, compare, audit) |
-| Integrations | 5 (K8s Secret, K8s ConfigMap, Helm, Terraform, tfvars) |
+---
 
-## Pre-built Binaries
+## MCP Server
 
-### Automatic Installation
+Vaulter includes a **Model Context Protocol (MCP)** server for AI assistant integration.
+
+### Setup
 
 ```bash
-# Installs to ~/.local/bin by default
-curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
-```
+# Start server
+vaulter mcp
 
-The installer auto-detects your OS and architecture.
+# Test with MCP Inspector
+npx @anthropic-ai/mcp-inspector vaulter mcp
+```
 
-### Manual Download
+### Claude Desktop Config
 
-Download from [Releases](https://github.com/forattini-dev/vaulter/releases):
+```json
+{
+  "mcpServers": {
+    "vaulter": {
+      "command": "vaulter",
+      "args": ["mcp"]
+    }
+  }
+}
+```
 
-| Platform | Binary | Install |
-|:---------|:-------|:--------|
-| Linux x64 | `vaulter-linux-x64` | `chmod +x vaulter-linux-x64 && mv vaulter-linux-x64 ~/.local/bin/vaulter` |
-| Linux ARM64 | `vaulter-linux-arm64` | `chmod +x vaulter-linux-arm64 && mv vaulter-linux-arm64 ~/.local/bin/vaulter` |
-| macOS x64 | `vaulter-macos-x64` | `chmod +x vaulter-macos-x64 && mv vaulter-macos-x64 /usr/local/bin/vaulter` |
-| macOS ARM64 | `vaulter-macos-arm64` | `chmod +x vaulter-macos-arm64 && mv vaulter-macos-arm64 /usr/local/bin/vaulter` |
-| Windows x64 | `vaulter-win-x64.exe` | Add to PATH |
+### Available Tools (19)
+
+| Tool | Description |
+|:-----|:------------|
+| `vaulter_get` | Get a variable |
+| `vaulter_set` | Set a variable |
+| `vaulter_delete` | Delete a variable |
+| `vaulter_list` | List variables |
+| `vaulter_export` | Export in various formats |
+| `vaulter_sync` | Bidirectional sync |
+| `vaulter_pull` | Download from backend |
+| `vaulter_push` | Upload to backend |
+| `vaulter_compare` | Compare environments |
+| `vaulter_search` | Search by pattern |
+| `vaulter_scan` | Scan monorepo |
+| `vaulter_services` | List services |
+| `vaulter_k8s_secret` | Generate K8s Secret |
+| `vaulter_k8s_configmap` | Generate K8s ConfigMap |
+| `vaulter_init` | Initialize project |
+| `vaulter_key_generate` | Generate encryption key (symmetric or asymmetric) |
+| `vaulter_key_list` | List all keys (project + global) |
+| `vaulter_key_show` | Show key details |
+| `vaulter_key_export` | Export key to encrypted bundle |
+| `vaulter_key_import` | Import key from encrypted bundle |
+
+### Resources (7)
+
+- `vaulter://config` — Project configuration
+- `vaulter://services` — Monorepo services
+- `vaulter://keys` — List all encryption keys (project + global)
+- `vaulter://keys/<name>` — Specific key details
+- `vaulter://keys/global/<name>` — Global key details
+- `vaulter://project/env` — Environment variables
+- `vaulter://project/env/service` — Service-specific vars
+- `vaulter://compare/env1/env2` — Environment diff
+
+### Prompts (5)
+
+- `setup_project` — Initialize a new project
+- `migrate_dotenv` — Migrate existing .env
+- `deploy_secrets` — Deploy to Kubernetes
+- `compare_environments` — Compare two environments
+- `security_audit` — Audit for security issues
 
-### CI/CD Installation
+---
 
-```bash
-# GitHub Actions / GitLab CI / CircleCI
-curl -fsSL https://raw.githubusercontent.com/forattini-dev/vaulter/main/install.sh | sh
-export PATH="$HOME/.local/bin:$PATH"
-vaulter --version
-```
+## Pre-built Binaries
 
-## License
+Download from [Releases](https://github.com/forattini-dev/vaulter/releases):
 
-MIT © [Forattini](https://github.com/forattini-dev)
+| Platform | Binary |
+|:---------|:-------|
+| Linux x64 | `vaulter-linux-x64` |
+| Linux ARM64 | `vaulter-linux-arm64` |
+| macOS x64 | `vaulter-macos-x64` |
+| macOS ARM64 | `vaulter-macos-arm64` |
+| Windows x64 | `vaulter-win-x64.exe` |
 
 ---
 
-<div align="center">
-
-**[Documentation](#configuration)** · **[Issues](https://github.com/forattini-dev/vaulter/issues)** · **[Releases](https://github.com/forattini-dev/vaulter/releases)**
+## License
 
-</div>
+MIT © [Forattini](https://github.com/forattini-dev)