Dragon Vault
Local-Only Encrypted Version Control
Your code. Your history. Your machine. Dragon Vault provides encrypted version control that never leaves your device. Zero network calls. No GitHub. No cloud. No telemetry. Everything encrypted at rest with AES-256-GCM, derived from a passphrase only you know.
“Sovereignty over your source code means no one else touches it. Not a cloud provider, not a SaaS company, not a CDN. If you lose your passphrase, you lose your vault. There is no recovery mechanism. This is by design.”
// Two Ways To Use It
CLI & Menu Bar
Both interfaces talk to the same encrypted vault on disk — they never disagree.
macOS Menu Bar
Ambient operation — sits in your menu bar. One click per platform to commit, rollback, view history, or edit ignore rules. Polls every 5 seconds for changes. Passphrase stored securely in macOS Keychain.
CLI
Scriptable, headless-friendly, all the same operations plus JSON output for tooling integration. Init, add, commit, status, log, diff, rollback — everything you need from the command line.
// Core Capabilities
Sovereign Security
Every feature of Dragon Vault is engineered around one principle: your data never leaves your machine. No exceptions. No opt-outs. No compromises.
AES-256-GCM Encryption
Authenticated encryption for every file, every version. Tampering is detected on read — your intellectual property is sealed at rest with military-grade cryptography.
Scrypt Key Derivation
Memory-hard key derivation ensures brute-force attacks are computationally infeasible. Your passphrase becomes an impenetrable wall. No recovery mechanism — by design.
Zero Network Calls
No telemetry. No cloud sync. No phone-home. No GitHub. No CDN. Vault operates entirely on your machine — air-gapped security by design. Verify with lsof or Little Snitch.
Per-Platform Snapshots
Each tracked directory is an independent platform with its own snapshot lifecycle. Committing one project never touches another — fully isolated history chains.
Content-Addressable Dedup
SHA-256 content hashing with a shared encrypted blob pool. Identical files across projects dedup to one blob — disk-efficient without sacrificing security.
Instant Local Performance
No latency from remote servers. Instant commits, instant diffs, instant restores. The speed of local with the security of a vault.
// Workflow
Four Steps. Total Sovereignty.
Initialize
Set your encryption passphrase. This is the only key that can unlock your vault. Lose it, and the vault is sealed forever.
vault initTrack
Add any directory as a platform. Its basename becomes the identity — each platform gets independent snapshots and history.
vault add /path/to/projectSnapshot
Commit encrypted snapshots with messages. AES-256-GCM wraps every file, path, and message. SHA-256 dedup keeps storage efficient.
vault commit -m "v1.0 release"Rollback
Restore to any previous snapshot instantly. A safety snapshot is auto-created before every rollback — you can never lose work.
vault rollback <snapshot-id>// Security Model
Version control that treats your source code like it matters — because it does.
File content, commit messages, file paths, and tracked directory paths are all encrypted at the application level. SHA-256 hashes serve as content identifiers without revealing content. No recovery mechanism exists — lost passphrase means a permanently sealed vault.
// Companion System
Dragon Crypt
Dragon Vault protects your code at rest. Dragon Crypt protects it in transit. Together they form a complete IP protection stack — encrypted snapshots on disk, masked payloads to the cloud.