Secrets that don't leak.
Vadyl never carries raw secrets on the wire. Connections, providers, and bindings reference secrets through resolvable refs (config: or env:); secret: refs are explicitly rejected in v1 because no project-aware non-request-scoped secret contract exists yet. The IKeyRing abstraction handles versioned encryption keys with HKDF tenant-scoped derivation. Master → tenant → ring → version. Replaceable with external KMS.
One canonical key ring. Pluggable backends.
IKeyRing abstraction
Pluggable key ring per ring ID. Default VadylKeyRing uses HKDF-SHA256 derivation: Master → tenant → ring → version. Replace with Azure Key Vault, AWS KMS, GCP KMS, Vault — same contract.
Versioned keys
Active / DecryptOnly / Retired. New writes use Active. Reads work on Active and DecryptOnly. Retired keys are inaccessible. The wire format embeds the key version.
Secret references
config: and env: refs only on the v1 wire. Resolution happens at the calling factory, never at the persisted entity. Raw connection strings cannot land on the binding row.
Multiple rings, independent rotation
Customer-PII on one ring, internal-tokens on another. Rotate independently. A breach in one ring does not require rotating the others.
Branchable + scope-chained
Secret provider bindings are per-project, inherited from ancestors top-down. A staging branch can override the binding without touching production state.
Audit, never inline
Every secret resolution surfaces in the canonical observability relay — what was resolved, by whom, when. The actual material never appears in the trail.
Default + KMS / Vault peers
Master → tenant → ring → version
Active / DecryptOnly / Retired
config: / env: refs only
Stop pasting credentials into bindings.
Reference the secret. Rotate the key ring. Vadyl handles resolution at the right boundary, with the right audit, with the right tenant-scoped derivation.