Skip to content

terok-sandbox

vault

terok-ai/terok-sandbox

vault

`vault` ¶

Vault — unified credential service: store, SSH, embeddable proxy.

The vault protects API credentials and SSH keys behind phantom tokens. Containers never see real secrets; they present phantom tokens that each per-container vault proxy validates against the at-rest store, injects real credentials, and forwards requests upstream.

Three sub-packages under one namespace:

store — the at-rest SQLCipher database and the six-tier passphrase resolution chain that unlocks it.
ssh — keypair I/O, scope provisioning, and the SSH-agent protocol handler.
daemon — the embeddable aiohttp proxy (VaultProxy) and audit logging that each per-container supervisor mounts.