Continuing the discussion from Parsing and vaulting yaml the Ansible way with ruamel.yaml:
This code now has a github repo to make collaboration easier. Your participation is welcome.
Here’s an interesting suggestion: When decrypting a previously vaulted value, rather than returning the plain scalar value, stick a YAML “!unvaulted” tag on it. This would enable pre-commit hooks to detect and prevent inadvertent attempts to commit secrets in plain text. The user could easily remove the tag or update and/or re-vault the data. If this is implemented, we should make it possible to “revault” such !unvaulted tagged data without having to remove the tag.
Fun project, fun times!