We build byreis — friendly, zero-infra GitOps secrets management with one defining twist:

Contributors can submit secrets, but only admins can read them.

A contributor encrypts a value to the team's admin public keys and opens a pull request. They never hold a private key, so they can add or update a secret but can never decrypt one. An admin reviews the real value and merges. No server, no vendor backend — just git and modern public-key encryption.

SOPS+age is git-native but symmetric (anyone with a key reads everything); server-based managers need infrastructure; Kubernetes controllers don't fit local/CI flows. byreis fills the gap.

• byreis — the CLI. Apache-2.0. Early development.

🚧 Active early development. Architecture and the cryptographic access model are settled; core commands are landing. Open an issue before a PR so the direction can be discussed.