Module secrets 

Sealer/unsealer secret membrane.

Plugins granted Capability::Secret { ids } acquire opaque handles to named secrets — never raw bytes. The handle can be passed to other capability-gated host imports (e.g., host-net.http_get_with_secret) but cannot be read, logged, or serialized.

Threat model

• Unreadable: the plugin’s code has no API to extract bytes from a SecretHandle. The handle is a host-side index into the in-process secret store.
• Untransferable: handles cannot be serialized to plugin output batches (verified by the WASM IPC layer’s reject list).
• Scoped: handles are tied to the issuing SecretStore and become invalid on plugin reload (the store is rebuilt).
• Auditable: every SecretStore::acquire call emits a tracing event so security teams can detect anomalous frequencies.

Structs

SecretHandle

Opaque handle to a sealed secret.

SecretStore

In-process store of sealed secrets.