Envelope encryption with EncryptionContext binding on every wrap and unwrap. IAM controls access; CloudTrail logs every decrypt. Push to SSM Parameter Store and Secrets Manager via @push directives, for runtime services that read from AWS directly.

AAD-bound per-value AEAD, file-level MAC over canonical content, schema-hash binding, key commitment, length padding, zeroize on every exit path, constant-time integrity checks. Cargo-fuzz harness with 4 targets. Visible in the source.

Directives like @type, @format, @pattern, @min/@max enforce rules on every secret. Generate a zero-runtime-dependency TypeScript validator from your schema in one command — the generated file IS the validator.

dotsec run -- <your command>. No SDK per language. Works for Node, Python, Ruby, Go, Rust, Docker, kubectl, terraform — anything that reads environment variables.

When dotsec run spawns your process, encrypted values are scrubbed from stdout and stderr before they hit your terminal or CI logs. The "accidentally console.log()'d a secret" class of bug is defended against by default.

The wrapped DEK is a plain age envelope. Anyone with the private key can decrypt it with the age or rage CLI directly — your secrets are never trapped in a bespoke format.