Caching, post-enforcement.

Raw KV with capability declarations. Two providers shipped: Redis (production, reuses canonical RedisConnectionHardening) and InMemory (opt-in, dev / test only — bootstrap NEVER falls back to InMemory implicitly).

Typed result projections. Internal to EntityCore. Consumed by ReadCoordinator (hit/store) and WriteCoordinator (invalidate). Every cached read has already passed access evaluation.

Opted-in protected entities ride a CachedPayloadEnvelope with AAD bound to tenant ‖ project ‖ entity ‖ keyFormat ‖ keyVersion. No plaintext fallback — missing key ring → store skipped + invariant metric.

Centralized gate. Refuses transaction-scoped reads, non-ReadCommitted consistency, session-scoped reads, internal child reads, protected entities without opt-in. One canonical bypass authority.

platgen + ggen + pgen + egen. O(1) namespace invalidation. Survives dormant providers via durable per-project sequences. The cache key encodes truth-affecting inputs only.

TryAcquireFillLeaseAsync coordinates. Losers poll on capped exponential backoff and consume the winner's value. Lease-less providers degrade honestly to per-caller fill — never a dishonest contract.

CacheProviderBinding per project. Ancestry inheritance closer-ancestor-wins. Branchable, sandbox-able, scope-chain inherited like every other plane.

ICacheInvalidationBus. 21 distributed scopes. 13 caches subscribe — runtime compilers, surface compilers, schema cache, webhook endpoint cache, quota enforcement, plus the entity read cache itself.

RootCacheBindingSeeder seeds the root project's Redis binding at deployment genesis. Operator opts out via Vadyl:Bootstrap:SeedRootCacheBinding=false. No host-global default cache.