Secrets · Zeq Secure Context
Encrypted at-rest secret vault. AES-256-GCM with PBKDF2-HULYAS keys. Every read is an entangled state audit row — permission-gated, rate-limited, immutable. Replaces .env.
| name | owner ZID | reads | last read | grants | actions |
|---|---|---|---|---|---|
| Loading… | |||||
Set → value is AES-256-GCM encrypted at-rest before the row hits Postgres. The PBKDF2-derived key uses HULYAS field constants as salt material. Plaintext never lives on disk.
Read → every successful read emits one secret_read row in audit_log with a verifiable proof_digest = SHA-256(name | zid | transitionId | purpose). The entangled state is hash-linked — tampering breaks validation.
Denied read → emits secret_denied. After 5 denials in a 60-Zeqond window, further attempts trip rate-limit. Rate-limit persists across permission changes — granting a previously-blocked ZID doesn't bypass the window.
Auto-rotate → secrets with expires_zeqond set are re-encrypted automatically when the daemon ticks (every ~100 Zeqonds). The plaintext is unchanged; only the on-disk IV rotates. Each rotation emits secret_rotated.
CLI equivalent: zeq context list, set, rotate, grant, revoke, audit, delete. Same surface from the workbench drawer.