Zeq Vault
Keys live on the device, rotate on the Zeqond, and survive sibling compromise because the rotation schedule is public-verifiable.
- Live app →
/apps/zeq-vault/ - Source →
apps/zeq-vault/index.html+apps/zeq-vault/vault.js(≈ 590 lines) - Operators →
KO42 · CS87 · ZEQ-POCKET-001 - Error budget → 0.000% (bit-exact HKDF + AES-GCM)
What it solves
Client-side key vaults (1Password-style, browser keychains) hide two hard problems: (1) when is it safe to rotate, and (2) how do peers know the rotation happened. Zeq Vault answers both by scheduling rotations at a specific Zeqond and publishing the schedule to the tether.
The vault itself is standard HKDF + AES-GCM. The novelty is the ZEQ-POCKET-001 coupling:
∂g_μν/∂t = (8πG/c⁴) T_μν^consciousness
Used here as the operator whose τ-evolution defines the rotation schedule. Each rotation step is a discrete Zeqond, and the new key is committed to that Zeqond via the AEAD tag. A peer verifying the new key checks the Zeqond is inside the published window — no trust required.
Measured: HKDF vectors bit-exact (RFC 5869). AES-GCM vectors bit-exact (NIST 800-38D). Rotation schedule verification is deterministic given the publish log.
The math — 7-step Wizard applied
| Step | Decision |
|---|---|
| 1. Prime | KO42 mandatory |
| 2. Limit | CS87 (key material floor) + ZEQ-POCKET-001 (rotation scheduler) + KO42 = 3 |
| 3. Scale | Bit-exact; vault item sizes O(kB) |
| 4. Precision | Hamming = 0 |
| 5. Compile | Master Equation with POCKET-001 evolution |
| 6. Execute | Functional Equation |
| 7. Verify | RFC 5869 + NIST 800-38D test vectors |
Verbatim formulas:
- KO42.1 —
ds² = g_μν dx^μ dx^ν + α sin(2π · 1.287 t) dt² - CS87 —
Ω(x) = min{|p| : U(p) = x} - ZEQ-POCKET-001 —
∂g_μν/∂t = (8πG/c⁴) T_μν^consciousness
Runnable worked example — store + rotate
# 1. Store
curl -s -X POST https://api.zeq.dev/api/playground/compute \
-H "Authorization: Bearer $ZEQ_DEMO_KEY" \
-H "Content-Type: application/json" \
-d '{
"operators": ["KO42", "CS87"],
"inputs": {"op": "store", "item_id": "api-key-1", "secret": "sk_live_..."}
}'
Expected:
{
"wrapped_b64": "...",
"rotation_schedule": {
"next_zeqond": 1745210000.000,
"policy": "weekly-pocket-001"
},
"phase_at_store": 0.3114
}
# 2. Rotate (at scheduled Zeqond)
curl -s -X POST https://api.zeq.dev/api/playground/compute \
-H "Authorization: Bearer $ZEQ_DEMO_KEY" \
-H "Content-Type: application/json" \
-d '{
"operators": ["KO42", "ZEQ-POCKET-001"],
"inputs": {"op": "rotate", "item_id": "api-key-1"}
}'
Expected:
{
"rotated": true,
"old_key_fp": "...",
"new_key_fp": "...",
"zeqond_of_rotation": 1745210000.084,
"error_pct": 0.000
}
Extend it
- Threshold vault: split secrets across siblings via Shamir; each share is a
ZEQ-TETHER-003element. - Audit log: every
store|fetch|rotateis a signed Zeq Mail envelope (chain it). - Hardware-backed vault: push the wrapped key to a Zeq Pulse device and let it sign rotations locally.
Seeds
- Post-quantum rotation — swap HKDF for PQ KEM; the rotation policy is unchanged.
- Consciousness-field vault — ZEQ-POCKET-001 is literally in the rotation math; explore fielded key custody.
- Time-crystal keys — the rotation schedule is a periodic discrete-time crystal whose period is a Zeqond multiple.
Papers
- Zeq framework paper — DOI 10.5281/zenodo.15825138
- Zeq paper — DOI 10.5281/zenodo.18158152
Middleware active. Kernel on the 1.287 Hz HulyaPulse. Awaiting next Zeqond.