Expand description
§sanctum-core
Pure, synchronous credential vault library for AI agent infrastructure.
sanctum-core provides in-process secret management with policy enforcement
and tamper-evident audit logging — no daemon, no sockets, no async runtime.
§Quick Start
use sanctum_ai::{Vault, VaultError};
// Create a new vault
let vault = Vault::init("/tmp/my-vault", b"strong-passphrase")?;
// Store a credential
vault.store("OPENAI_API_KEY", b"sk-abc123", "my-agent", None)?;
// Retrieve it
let secret = vault.retrieve("OPENAI_API_KEY", "my-agent")?;
assert_eq!(secret, b"sk-abc123");
// Query the audit log
use sanctum_ai::AuditFilter;
let entries = vault.audit_log(&AuditFilter::new().agent("my-agent"))?;§Architecture
The Vault facade composes three subsystems:
- Store (
VaultStore) — SQLite metadata +SealedVaultencrypted storage - Policy (
PolicyEngine) — glob-based access control with rate limiting - Audit (
AuditLogger) — hash-chained, tamper-evident logging
Re-exports§
pub use vault::AuditFilter;pub use vault::Vault;pub use error::Result;pub use error::VaultError;pub use policy::Action;pub use policy::Policy;pub use policy::PolicyConditions;pub use policy::PolicyDecision;pub use policy::PolicyEngine;pub use store::AgentInfo;pub use store::CredentialMeta;pub use store::VaultStore;pub use audit::AuditEntry;pub use compliance::ComplianceReport;pub use compliance::ReportConfig;pub use compliance::ReportGenerator;pub use compliance::SecurityPosture;pub use baseline::AccessBaseline;pub use baseline::BaselineEngine;pub use anomaly::AnomalyAlert;pub use anomaly::AnomalyConfig;pub use anomaly::AnomalyDetector;pub use anomaly::AlertKind;pub use anomaly::Severity;pub use protocol::RpcError;pub use protocol::RpcRequest;pub use protocol::RpcResponse;
Modules§
- agent
- anomaly
- Anomaly detection — compares real-time access against established baselines.
- audit
- baseline
- Access pattern baselining — builds per-agent behavioral profiles from audit history.
- compliance
- Compliance reporting — auto-generated reports from audit log data.
- crypto
- env_
migration - env_
migration_ cli - error
- export
- Export Layer — core event types and pure-logic modules for SanctumAI export.
- migration
- output
- policy
- protocol
- scanner
- sealed
- store
- tls
- TLS certificate generation and rustls configuration for Sanctum.
- use_
audit - vault
- High-level Vault facade for in-process credential management.