Skip to content

daemon

daemon

Per-container vault runtime — embeddable proxy, protocol services, audit.

The runtime side of the vault: the aiohttp app each per-container supervisor mounts to swap phantom tokens for real credentials. Every container gets a fresh VaultProxy that lives only as long as the container.

Collaborators:

  • token_brokerVaultProxy: the embeddable aiohttp HTTP+WebSocket reverse proxy that swaps phantom tokens for real API credentials before forwarding upstream.
  • audit — append-only JSONL audit log for every credential-bearing broker request.

Three shared marker constants live here directly: the health-check path the broker serves and two phantom-credential markers (Claude shared .credentials.json and Codex shared auth.json). Earlier iterations had these in a sibling constants submodule; they're small enough that the extra module just added tach noise.

PHANTOM_CREDENTIALS_MARKER = 'terok-proxy-phantom-token:vault-handles-real-auth' module-attribute

CODEX_SHARED_OAUTH_MARKER = 'terok-proxy-codex-oauth-marker:vault-handles-real-auth' module-attribute

HEALTH_PATH = '/-/health' module-attribute