.env.vault.local

Just because a secret is "local only" doesn't mean it's harmless. If a local key provides access to a sandbox AWS account with limited resources, an attacker could still abuse it. Rotate your personal development keys every 90 days.

The name " .env.vault.local " might appear as an emerging standard, but it's crucial to understand that the system uses a specific command for local development: npx dotenv-vault local build . .env.vault.local

需要注意的是，在 CI/CD 环境中， .env.vault.local 不会用到（因为不需要个性化配置）。这种方法显著提升了安全性，因为加密后的 .env.vault 文件就算在代码仓中被意外公开，因为缺乏 DOTENV_KEY，攻击者也根本无法获取到解密后的敏感信息。 Just because a secret is "local only" doesn't