sanctum-core

Pure, synchronous credential vault library for AI agent infrastructure.

No daemon. No sockets. No async runtime. Just embed it in your Rust application.

Quick Start

use sanctum_core::{Vault, AuditFilter};

// Initialize a new vault
let vault = Vault::init("~/.sanctum", b"strong-passphrase")?;

// Store a credential
vault.store("OPENAI_API_KEY", b"sk-abc123", "my-agent", None)?;

// Retrieve it
let secret = vault.retrieve("OPENAI_API_KEY", "my-agent")?;

// List all credentials
let creds = vault.list_credentials("my-agent")?;

// Query the audit log
let entries = vault.audit_log(&AuditFilter::new().agent("my-agent"))?;

Opening an Existing Vault

let vault = Vault::open("~/.sanctum")?;
vault.unlock(b"my-passphrase")?;

let secret = vault.retrieve("OPENAI_API_KEY", "my-agent")?;

Policy Enforcement

use sanctum_core::{Vault, Policy, Action};

let vault = Vault::init("/tmp/vault", b"passphrase")?;

// Add a policy
let policy = Policy {
    name: "allow-openai".into(),
    principal: "agent:my-bot".into(),
    resources: vec!["OPENAI_*".into()],
    actions: vec![Action::Retrieve],
    max_lease_ttl: 3600,
    conditions: Default::default(),
    enabled: true,
};
vault.add_policy(&policy)?;

// Policy is checked automatically on retrieve
let secret = vault.retrieve("OPENAI_API_KEY", "my-bot")?;

Thread Safety

Vault is Send + Sync — share it across threads with Arc:

use std::sync::Arc;

let vault = Arc::new(Vault::init("/tmp/vault", b"pass")?);
let v = Arc::clone(&vault);
std::thread::spawn(move || {
    let secret = v.retrieve("KEY", "agent").unwrap();
});

Features

• AES-256-GCM encryption with scrypt key derivation
• Hash-chained audit log — tamper-evident by design
• Glob-based policy engine with rate limiting
• SQLite metadata + binary sealed vault for secrets
• Zero-copy secret handling with zeroize-on-drop

Architecture

The Vault facade composes three subsystems:

License

See repository root for license information.