feat: keyring, unencrypted, and external vaults

Author: jahvon

README.md

@@ -38,7 +38,7 @@ flow run hello
 flow complements existing CLI tools by adding multi-project organization, built-in security, and visual discovery to your automation toolkit.
 
 - **Workspace organization** - Group and manage workflows across multiple projects
-- **Encrypted secret vaults** - Multiple backends (AES, Age, external tools)
+- **Encrypted secret vaults** - Multiple backends (AES, Age, keyring, external tools)
 - **Interactive discovery** - Browse, search, and filter workflows visually
 - **Flexible execution** - Serial, parallel, conditional, and interactive workflows
 - **Workflow generation** - Create projects and workflows from reusable templates

cmd/internal/flags/types.go

@@ -203,7 +203,7 @@ var VaultSetFlag = &Metadata{
 var VaultTypeFlag = &Metadata{
 	Name:      "type",
 	Shorthand: "t",
-	Usage:     "Vault type. Either age or aes256",
+	Usage:     "Vault type. Either unencrypted, age, aes256, keyring, or external",
 	Default:   "aes256",
 	Required:  false,
 }
@@ -250,3 +250,11 @@ var VaultIdentityFileFlag = &Metadata{
 	Default:  "",
 	Required: false,
 }
+
+var VaultFromFileFlag = &Metadata{
+	Name:      "config",
+	Shorthand: "c",
+	Usage:     "File path to read the external vault's configuration from. The file must be a valid vault configuration file.",
+	Default:   "",
+	Required:  false,
+}

cmd/internal/vault.go

@@ -64,6 +64,7 @@ func registerCreateVaultCmd(ctx *context.Context, vaultCmd *cobra.Command) {
 	RegisterFlag(ctx, createCmd, *flags.VaultTypeFlag)
 	RegisterFlag(ctx, createCmd, *flags.VaultPathFlag)
 	RegisterFlag(ctx, createCmd, *flags.VaultSetFlag)
+	RegisterFlag(ctx, createCmd, *flags.VaultFromFileFlag)
 	// AES flags
 	RegisterFlag(ctx, createCmd, *flags.VaultKeyEnvFlag)
 	RegisterFlag(ctx, createCmd, *flags.VaultKeyFileFlag)
@@ -82,6 +83,8 @@ func createVaultFunc(ctx *context.Context, cmd *cobra.Command, args []string) {
 	setVault := flags.ValueFor[bool](cmd, *flags.VaultSetFlag, false)
 
 	switch strings.ToLower(vaultType) {
+	case "unencrypted":
+		vaultV2.NewUnencryptedVault(vaultName, vaultPath)
 	case "aes256":
 		keyEnv := flags.ValueFor[string](cmd, *flags.VaultKeyEnvFlag, false)
 		keyFile := flags.ValueFor[string](cmd, *flags.VaultKeyFileFlag, false)
@@ -92,8 +95,19 @@ func createVaultFunc(ctx *context.Context, cmd *cobra.Command, args []string) {
 		identityEnv := flags.ValueFor[string](cmd, *flags.VaultIdentityEnvFlag, false)
 		identityFile := flags.ValueFor[string](cmd, *flags.VaultIdentityFileFlag, false)
 		vaultV2.NewAgeVault(vaultName, vaultPath, recipients, identityEnv, identityFile)
+	case "keyring":
+		vaultV2.NewKeyringVault(vaultName)
+	case "external":
+		cfgFile := flags.ValueFor[string](cmd, *flags.VaultFromFileFlag, false)
+		if cfgFile == "" {
+			logger.Log().Fatalf("external vault requires a configuration file to be specified with --config")
+		}
+		vaultV2.NewExternalVault(vaultPath)
 	default:
-		logger.Log().Fatalf("unsupported vault type: %s - must be one of 'aes256' or 'age'", vaultType)
+		logger.Log().Fatalf(
+			"unsupported vault type: %s - must be one of 'aes256', 'age', 'unencrypted', 'keyring', or 'external'",
+			vaultType,
+		)
 	}
 
 	if ctx.Config.Vaults == nil {

docs/cli/flow_vault_create.md

@@ -9,6 +9,7 @@ flow vault create NAME [flags]
 ### Options
 
 ```
+  -c, --config string          File path to read the external vault's configuration from. The file must be a valid vault configuration file.
   -h, --help                   help for create
       --identity-env string    Environment variable name for the Age vault identity. Only used for Age vaults.
       --identity-file string   File path for the Age vault identity. An absolute path is recommended. Only used for Age vaults.
@@ -17,7 +18,7 @@ flow vault create NAME [flags]
   -p, --path string            Directory that the vault will use to store its data. If not set, the vault will be stored in the flow cache directory.
       --recipients string      Comma-separated list of recipient keys for the vault. Only used for Age vaults.
   -s, --set                    Set the newly created vault as the current vault
-  -t, --type string            Vault type. Either age or aes256 (default "aes256")
+  -t, --type string            Vault type. Either unencrypted, age, aes256, keyring, or external (default "aes256")
 ```
 
 ### Options inherited from parent commands

docs/guide/secrets.md

@@ -100,6 +100,81 @@ flow vault create team --type age --recipients key1,key2,key3 --identity-file ~/
 flow vault create team --type age --recipients key1,key2,key3 --identity-env MY_IDENTITY
 ```
 
+#### **Unencrypted**
+A simple vault that stores secrets in plain text JSON files.
+This is not recommended for production use but can be useful for development or testing.
+
+```shell
+# Create an unencrypted vault
+flow vault create dev --type unencrypted
+```
+
+
+#### **Keyring**
+
+A vault that uses your operating system's keyring for managing secrets. 
+This is a good option for personal use where you want seamless integration with your OS security.
+
+```shell
+# Create a keyring vault
+flow vault create dev --type keyring
+```
+
+#### **External (other CLI tools)**
+
+An external vault that uses executes an external CLI tool via shell commands to manage secrets. 
+This allows you to integrate with existing secret management systems.
+
+First you have to define the external vault configuration in JSON format. Here is a sample one that uses the `pass` CLI tool:
+
+```json
+{
+  "id": "pass",
+  "type": "external",
+  "external": {
+    "get": {
+      "cmd": "pass show {{key}}",
+      "output": "{{output}}"
+    },
+    "set": {
+      "cmd": "pass insert -e {{key}}",
+      "input": "{{value}}"
+    },
+    "delete": {
+      "cmd": "pass rm -f {{key}}"
+    },
+    "list": {
+      "cmd": "pass ls",
+      "output": "{{output}}"
+    },
+    "environment": {
+      "PASSWORD_STORE_DIR": "$PASSWORD_STORE_DIR"
+    },
+    "timeout": "30s"
+  }
+}
+```
+
+> [!INFO]
+> See the [flowexec/vault examples](https://github.com/flowexec/vault/tree/v0.2.1/examples) for sample configurations for popular CLI tools like Bitwarden, 1Password, AWS SSM, and more.
+
+
+```shell
+# Create an external vault
+flow vault create passwords --type external --config /path/to/config.json
+```
+
+**Template Variables**
+
+Available in `cmd` and `output` fields:
+
+- `{{key}}` - The secret key/name
+- `{{value}}` - The secret value (for set operations)
+- `{{env["VariableName"]}}`- Environment variable value
+- `{{output}}` - Raw command output (for output templates)
+
+All [Expr language](https://expr-lang.org/docs/language-definition) operators and functions can be used in the command templates, allowing for powerful dynamic secret management.
+
 <!-- tabs:end -->
 
 #### Authentication
@@ -109,6 +184,9 @@ If you did not provide a key or file, these default environment variables will b
 
 - For AES256 vaults: `FLOW_VAULT_KEY` environment variable
 - For Age vaults: `FLOW_VAULT_IDENTITY` environment variable
+- For Unencrypted vaults: no key is needed, it stores secrets in plain text
+- For Keyring vaults: no key is needed, it uses the OS keyring directly
+- For External vaults: no key is needed, it uses the external CLI tool directly. Auth may be required by the tool itself
 
 At least one of the key or file will be used. You can configure key storage during vault creation:
 

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/charmbracelet/x/exp/teatest v0.0.0-20250806222409-83e3a29d542f
 	github.com/flowexec/tuikit v0.2.3
-	github.com/flowexec/vault v0.1.2
+	github.com/flowexec/vault v0.2.1
 	github.com/gen2brain/beeep v0.11.1
 	github.com/jahvon/expression v0.1.3
 	github.com/jahvon/glamour v0.8.1-patch3
@@ -32,6 +32,7 @@ require (
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	filippo.io/age v1.2.1 // indirect
 	git.sr.ht/~jackmordaunt/go-toast v1.1.2 // indirect
 	github.com/alecthomas/chroma/v2 v2.20.0 // indirect
@@ -50,6 +51,7 @@ require (
 	github.com/charmbracelet/x/exp/strings v0.0.0-20250806222409-83e3a29d542f // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
@@ -90,6 +92,7 @@ require (
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yuin/goldmark v1.7.13 // indirect
 	github.com/yuin/goldmark-emoji v1.0.6 // indirect
+	github.com/zalando/go-keyring v0.2.6 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect

go.sum

@@ -1,3 +1,5 @@
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
 filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
@@ -63,6 +65,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3
 github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -78,8 +82,8 @@ github.com/expr-lang/expr v1.17.5 h1:i1WrMvcdLF249nSNlpQZN1S6NXuW9WaOfF5tPi3aw3k
 github.com/expr-lang/expr v1.17.5/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
 github.com/flowexec/tuikit v0.2.3 h1:hGlBc8yXvj4AXaKFp+IUNQ9nO7xOYY4W99m1BfNT13Q=
 github.com/flowexec/tuikit v0.2.3/go.mod h1:fjMwEM7FkxbP7bIV4CfEjsixgjicgQqPrejoBZAHf5s=
-github.com/flowexec/vault v0.1.2 h1:INQ/w81piKRM+zqPBQpxFYl1iK8dI3APIHZ1F1Jm7CA=
-github.com/flowexec/vault v0.1.2/go.mod h1:nxoGHIVjwSgg1o6DoTmj5NCJtubu71SvS883LPUXuvg=
+github.com/flowexec/vault v0.2.1 h1:IYII6iXhhzUc4o0arJVH8281so67L9V8HY8ary/kTps=
+github.com/flowexec/vault v0.2.1/go.mod h1:6JHONK+fTf8Zn7bOwejzbKTWuIh1BYHxgAwBc/XPXeY=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/gen2brain/beeep v0.11.1 h1:EbSIhrQZFDj1K2fzlMpAYlFOzV8YuNe721A58XcCTYI=
@@ -100,6 +104,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5 h1:xhMrHhTJ6zxu3gA4enFM9MLn9AY7613teCdFnlUVbSQ=
 github.com/google/pprof v0.0.0-20250630185457-6e76a2b096b5/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
@@ -187,6 +193,8 @@ github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
@@ -204,6 +212,8 @@ github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
 github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs=
 github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
 go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=

internal/vault/v2/vault.go

@@ -19,6 +19,7 @@ const (
 	LegacyVaultReservedName = "legacy"
 
 	v2CacheDataDir = "vaults"
+	keyringService = "io.flowexec.flow"
 )
 
 type Vault = vault.Provider
@@ -101,6 +102,27 @@ func generateAESKey(keyEnv, logLevel string) string {
 	return key
 }
 
+func NewUnencryptedVault(name, storagePath string) {
+	storagePath = utils.ExpandPath(storagePath, CacheDirectory(""), nil)
+	if storagePath == "" {
+		logger.Log().Fatalf("unable to expand storage path: %s", storagePath)
+	}
+
+	opts := []vault.Option{vault.WithUnencryptedPath(storagePath), vault.WithProvider(vault.ProviderTypeUnencrypted)}
+
+	v, cfg, err := vault.New(name, opts...)
+	if err != nil {
+		logger.Log().FatalErr(err)
+	}
+
+	cfgPath := ConfigFilePath(v.ID())
+	if err = vault.SaveConfigJSON(*cfg, cfgPath); err != nil {
+		logger.Log().FatalErr(fmt.Errorf("unable to save vault config: %w", err))
+	}
+
+	logger.Log().PlainTextSuccess(fmt.Sprintf("Vault '%s' without encryption created successfully", v.ID()))
+}
+
 func NewAgeVault(name, storagePath, recipients, identityKey, identityFile string) {
 	storagePath = utils.ExpandPath(storagePath, CacheDirectory(""), nil)
 	if storagePath == "" {
@@ -137,6 +159,51 @@ func NewAgeVault(name, storagePath, recipients, identityKey, identityFile string
 	logger.Log().PlainTextSuccess(fmt.Sprintf("Vault '%s' with Age encryption created successfully", v.ID()))
 }
 
+func NewKeyringVault(name string) {
+	opts := []vault.Option{
+		vault.WithKeyringService(fmt.Sprintf("%s.%s", keyringService, name)),
+		vault.WithProvider(vault.ProviderTypeKeyring)}
+	v, cfg, err := vault.New(name, opts...)
+	if err != nil {
+		logger.Log().FatalErr(err)
+	}
+
+	cfgPath := ConfigFilePath(v.ID())
+	if err = vault.SaveConfigJSON(*cfg, cfgPath); err != nil {
+		logger.Log().FatalErr(fmt.Errorf("unable to save vault config: %w", err))
+	}
+
+	logger.Log().PlainTextSuccess(fmt.Sprintf("Vault '%s' with Keyring encryption created successfully", v.ID()))
+}
+
+func NewExternalVault(providerConfigFile string) {
+	if providerConfigFile == "" {
+		logger.Log().Fatalf("provider config file path cannot be empty")
+	}
+
+	providerConfigFile = utils.ExpandPath(providerConfigFile, CacheDirectory(""), nil)
+	if providerConfigFile == "" {
+		logger.Log().Fatalf("unable to expand provider config file path: %s", providerConfigFile)
+	}
+
+	cfg, err := vault.LoadConfigJSON(providerConfigFile)
+	if err != nil {
+		logger.Log().FatalErr(fmt.Errorf("failed to load vault config: %w", err))
+	}
+
+	v, _, err := vault.New(cfg.ID, vault.WithExternalConfig(cfg.External))
+	if err != nil {
+		logger.Log().FatalErr(err)
+	}
+
+	cfgPath := ConfigFilePath(v.ID())
+	if err = vault.SaveConfigJSON(cfg, cfgPath); err != nil {
+		logger.Log().FatalErr(fmt.Errorf("unable to save vault config: %w", err))
+	}
+
+	logger.Log().PlainTextSuccess(fmt.Sprintf("Vault '%s' with external provider registered successfully", v.ID()))
+}
+
 func VaultFromName(name string) (*VaultConfig, Vault, error) {
 	if name == "" {
 		return nil, nil, fmt.Errorf("vault name cannot be empty")
@@ -157,6 +224,16 @@ func VaultFromName(name string) (*VaultConfig, Vault, error) {
 	case vault.ProviderTypeAES256:
 		provider, err := vault.NewAES256Vault(&cfg)
 		return &cfg, provider, err
+	case vault.ProviderTypeUnencrypted:
+		provider, err := vault.NewUnencryptedVault(&cfg)
+		return &cfg, provider, err
+	case vault.ProviderTypeKeyring:
+		provider, err := vault.NewKeyringVault(&cfg)
+		return &cfg, provider, err
+	case vault.ProviderTypeExternal:
+		// todo: rename this func in the vault pkg
+		provider, err := vault.NewExternalVaultProvider(&cfg)
+		return &cfg, provider, err
 	default:
 		return nil, nil, fmt.Errorf("unsupported vault type: %s", cfg.Type)
 	}