Atelier docs

Security model

Atelier is designed around local encryption, conservative saving, and explicit apply behavior.

Local encryption before upload

Config contents are encrypted on your machine before they are uploaded. The hosted service stores encrypted snapshots and metadata, not plaintext config contents.

Vault passphrase

Your vault passphrase unlocks local key material used to encrypt and decrypt profile config snapshots. If the vault is locked on a machine, Atelier asks for the passphrase before save or apply operations that need decrypted contents.

Conservative save policy

Atelier blocks obvious unsafe candidates by default, including private auth material and files with detected secrets. This keeps the common path focused on shareable configuration.

Apply happens locally

Preview and apply download encrypted blobs, decrypt locally after vault unlock, and compare against local files on the machine. Plaintext diffs are not sent to the API.

Backups before replacement

Atelier does not silently overwrite a differing local file. Use --backup to copy the current local file into Atelier's local backup area before replacement.