Expand description
Tensor Vault: Secure secret storage with graph-based access control.
Secrets are encrypted at rest using AES-256-GCM. Access is controlled by graph topology - a requester must have a path to the secret node.
Security features:
- AES-256-GCM authenticated encryption
- Argon2id key derivation (GPU/ASIC resistant)
- Key obfuscation via HMAC (hides secret names in storage)
- Metadata encryption (hides creator, timestamps)
- Length padding (hides plaintext size)
- Pointer indirection (hides storage patterns)
- Graph-based access control (topological authorization)
Modules§
- namespaced
- Namespaced vault view for multi-tenant isolation.
- scoped
- Scoped vault view for a specific entity.
Structs§
- Access
Controller - Access controller using graph topology for authorization.
- Access
Cycle - A cycle detected in the access graph.
- Access
Explanation - Full explanation of how an entity accesses (or fails to access) a secret.
- Access
Hop - A single hop in an access path explanation.
- Access
Tensor - 3D access tensor: entities x secrets x time_buckets.
- Access
Tensor Config - Configuration for building an access tensor.
- Access
Topology - Access topology: a flat matrix encoding entity-secret permission relationships.
- Agent
Profile - Per-agent behavioral state tracked by the monitor.
- Anomaly
Monitor - Thread-safe anomaly monitor that tracks per-agent behavior.
- Anomaly
Thresholds - Configurable thresholds for anomaly detection.
- ApiKey
Config - Configuration for API key generation.
- Attenuation
Policy - Policy controlling how permissions attenuate with graph distance.
- Audit
Context - Optional context for audit entries (IP, session, correlation ID).
- Audit
Entry - Audit entry representing a single vault operation.
- Audit
Log - Audit log for tracking vault operations.
- Batch
Permission Result - Result of a batch permission check.
- Batch
SetResult - Per-entry outcome from a batch set operation.
- Behavior
Embedding Config - Configuration for behavior embedding computation.
- Blast
Radius - All secrets reachable by an entity.
- Cert
Info - Information about an issued certificate.
- Certificate
Request - Certificate signing request parameters.
- Changelog
Entry - A single entry in a secret’s change history.
- Cipher
- Encryption cipher using AES-256-GCM with HKDF-derived key.
- Clustering
Result - Result of clustering entities by their access graph structure.
- Critical
Entity - An entity identified as critical infrastructure.
- Delegation
Anomaly Score - Anomaly score for a specific access grant.
- Delegation
Manager - Manages delegation relationships between agents.
- Delegation
Record - A recorded delegation from parent to child agent.
- Dependency
Info - Information about a single dependency edge.
- Drift
Detection - Drift detection result for a single entity.
- Dynamic
Secret Metadata - Metadata for a generated dynamic secret.
- Engine
Registry - Registry of secret engines.
- Entity
Access Profile - Per-entity access behavior profile.
- Entity
Risk Score - Per-entity risk score.
- Entity
Trust Score - Per-entity trust score based on triangle participation.
- EnvSync
Target - Environment variable sync target: sets env vars (in-process only).
- Excluded
Target - A target excluded from sync with the reason.
- Exponential
Attenuation Policy - Smooth exponential decay attenuation policy.
- File
Sync Target - File-based sync target: writes secrets to files.
- GeoCoordinate
- A point in 2D or 3D coordinate space representing a geographic location.
- GeoRouter
- Thread-safe geometric router for sync targets.
- Geometric
Anomaly Report - Report of geometric anomaly detection across all entities.
- Geometric
Anomaly Result - Anomaly result for a single entity.
- GrantTTL
Tracker - Tracks grant expiration times for automatic revocation.
- Heat
Kernel Config - Configuration for heat kernel trust diffusion.
- Heat
Kernel Trust Report - Report from heat kernel trust analysis.
- Heat
Kernel Trust Score - Per-entity trust score after heat kernel diffusion.
- Impact
Report - Report of secrets and agents affected by a change to a root secret.
- Inferred
Role - An inferred role based on community detection.
- KeyShare
- A single key share from Shamir splitting.
- Master
Key - Derived master key for encryption (zeroized on drop).
- NewAccess
- A new access created by a simulated grant.
- Node
Embedding - Per-entity embedding vector derived from topology and access patterns.
- Obfuscator
- Obfuscation utilities using HMAC-like construction.
- Over
Privileged Entity - An entity with disproportionately high access.
- Paged
Secrets - Paginated list of secret keys.
- Password
Config - Configuration for password generation.
- Pending
Rotation - A rotation that is due or overdue.
- PkiEngine
- PKI engine implementing the
SecretEnginetrait. - Placement
Config - Tuning weights that control placement scoring.
- Placement
Recommendation - Recommended placement for a single secret across available regions.
- Policy
Manager - Thread-safe policy manager backed by persistent storage.
- Policy
Match - Result of evaluating policies for an entity.
- Policy
Redundancy Report - Report on policy redundancy and merge opportunities.
- Policy
Template - A policy template that grants access based on entity/secret patterns.
- Privilege
Analysis - Individual entity privilege analysis.
- Privilege
Analysis Report - Full privilege analysis report.
- Quota
Manager - Thread-safe quota manager backed by persistent storage.
- Rate
Limit Config - Configuration for rate limiting.
- Rate
Limiter - Rate limiter using sliding window algorithm.
- Reachable
Secret - A single secret reachable by an entity.
- Region
Registry - Thread-safe registry of deployment regions and entity geographic locations.
- Resource
Quota - Resource limits for a namespace.
- Resource
Usage - Current resource usage for a namespace.
- Revocation
Entry - A single revocation entry in the CRL.
- Revocation
List - Certificate revocation list signed by the CA.
- Risk
Contributor - Contributor to an entity’s risk.
- Risk
Propagation Report - Full risk propagation report.
- Role
Inference Result - Result of role inference.
- Rotation
Plan - Prioritized rotation plan for cascading secret changes.
- Rotation
Policy - A declarative rotation policy for a secret.
- Rotation
Step - A step in a prioritized rotation plan.
- Routed
Target - A target selected for sync with its composite score.
- Routing
Config - Tuning knobs for geometric routing decisions.
- Routing
Decision - Routing outcome for a single secret sync operation.
- Seal
State - Seal state shared across the vault.
- Seasonal
Pattern - A seasonal pattern extracted via TT decomposition.
- Secret
Access Profile - Per-secret access pattern profile.
- Secret
Features - Operational metadata features for a secret.
- Secret
Summary - Summary metadata for a secret.
- Security
Audit Report - Full security audit report.
- Shamir
Config - Configuration for Shamir secret sharing.
- Similar
Secret - A similar secret found by the similarity index.
- Similarity
Index - HNSW-backed similarity index for secret metadata embeddings.
- Simulation
Result - Result of a simulated grant.
- Single
Point OfFailure - An entity whose removal would disconnect parts of the graph.
- Spectral
Cluster - A cluster of entities with similar access patterns.
- Stored
Template - A persisted secret template.
- Sync
Manager - Thread-safe sync manager.
- Target
Geometry - Health and location metadata for a sync target.
- Template
Manager - Thread-safe manager for secret generation templates.
- Temporal
Analysis Config - Configuration for temporal pattern analysis.
- Temporal
Analysis Report - Combined temporal analysis report.
- Token
Config - Configuration for token generation.
- Topology
Config - Configuration for access topology extraction.
- Trust
Transitivity Report - Full trust transitivity report.
- Vault
- Secure secret storage with graph-based access control.
- Vault
Config - Configuration for the vault.
- Vault
Region - A vault deployment region with capacity and inter-region latency metadata.
- Vault
Snapshot - Metadata about a vault snapshot.
- Vault
Status - Comprehensive vault health and status information.
- Version
Diff - Side-by-side comparison of two secret versions.
- Version
Info - Information about a secret version.
- Weighted
Affected Secret - A downstream secret with weight and impact score.
- Weighted
Impact Report - Weighted impact analysis report.
- Wrapping
Token - Metadata about a wrapping token.
Enums§
- Anomaly
Event - An anomalous event detected by the monitor.
- Audit
Operation - Types of auditable operations.
- Denial
Reason - Why access was denied.
- Dependency
Weight - Weight classification for dependency edges.
- Exclusion
Reason - Why a target was excluded from the routing decision.
- Operation
- Operation types that can be rate limited.
- Padding
Size - Padding block sizes for length hiding.
- Password
Charset - Character sets for password generation.
- Permission
- Permission levels for vault access.
- Rotation
Generator - How to generate a new secret value on rotation.
- Secret
Template - Template for generating dynamic secrets.
- Token
Encoding - Encoding format for tokens.
- Vault
Error - Error types for vault operations.
- Vault
Event - Events emitted by vault operations for monitoring and alerting.
Constants§
- KEY_
SIZE - AES-256 key size in bytes.
- NONCE_
SIZE - 12-byte nonce for AES-GCM (96 bits is the standard).
- SALT_
SIZE - Salt size for Argon2id key derivation.
Traits§
- Secret
Engine - Trait for pluggable secret engines.
- Sync
Target - Trait for external sync targets.
- Vault
Event Handler - Trait for handling vault events.
Functions§
- batch_
recommend_ placement - Recommend placement for every secret the vault root can list.
- recommend_
placement - Recommend the best region placement for a single secret.
- reconstruct_
master_ key - Reconstruct a master key from shares using Lagrange interpolation over GF(256).
- split_
master_ key - Split a master key into shares using Shamir secret sharing over GF(256).
Type Aliases§
- Result
- A specialized
Resulttype for vault operations.