Vault Service

The vault is an SDK-side abstraction — not a node service — that composes the KV service with encryption networks so callers can put/get encrypted blobs as if the vault were a single service. The client encrypts locally before writing to KV and decrypts on read via a capability-gated decrypt invocation.

Role

It exists so apps don't hand-wire KV + envelope crypto for every secret. It is the storage primitive behind the Secrets space convention (vault/secrets/<NAME>). Because it is SDK-virtual, the node sees only kv writes of opaque ciphertext and encryption-network operations — there is no tinycloud.vault/* node ability.

Mechanics

DataVaultService (packages/sdk-services/src/vault/DataVaultService.ts) orchestrates: derive/resolve the network key (createVaultCrypto.ts), encrypt the value client-side, tinycloud.kv/put the envelope under a vault/... key, and reverse on read (fetch envelope → decrypt via the node). Authority is therefore two real capabilities: a KV grant over the vault/ prefix and a decrypt grant on the network.

Relationships

Composes kv + encryption-networks + user-bound-decrypt; backs the secrets space and secret-manager paths; consumed via secrets-sharing. Contrast with the node-native services (kv/sql/…) — vault is purely client-side.

Status & drift

in-progress. It is a real, used SDK service but evolving; treat tinycloud.vault as an SDK convention, not a protocol ability namespace.

Sources

• js-sdk: packages/sdk-services/src/vault/DataVaultService.ts, createVaultCrypto.ts