Phase 1c: Extract vault logic into zeph-vault crate (Layer 1)

CHANGELOG.md

@@ -8,6 +8,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Added
 
+- refactor(vault): extract vault logic into new `zeph-vault` crate (Epic #1973 Phase 1c)
+  - New `zeph-vault` crate at Layer 1 with `VaultProvider` trait, `EnvVaultProvider`, `AgeVaultProvider`, `ArcAgeVaultProvider`, `AgeVaultError`, `default_vault_dir()`
+  - `MockVaultProvider` gated behind `#[cfg(any(test, feature = "mock"))]` — accessible from downstream test code via `zeph-vault/mock` feature
+  - `pub use zeph_common::secret::{Secret, VaultError}` re-exported from `zeph-vault` preserving `crate::vault::Secret` paths
+  - `zeph-core/src/vault.rs` replaced with thin re-export shim `pub use zeph_vault::*;` — zero import path changes in consumers
+  - `age_encrypt_decrypt_resolve_secrets_roundtrip` integration test kept in `zeph-core` (depends on `SecretResolver` trait)
+  - `age` and `zeroize` direct dependencies removed from `zeph-core` (now provided transitively via `zeph-vault`)
+
 - refactor(config): extract pure-data configuration types into new `zeph-config` crate (Epic #1973 Phase 1a)
   - New `zeph-config` crate at Layer 1 (no `zeph-core` dependency) with all pure-data config structs
   - Moved: `AgentConfig`, `FocusConfig`, `LlmConfig`, `MemoryConfig`, `SecurityConfig`, `TrustConfig`, `TimeoutConfig`, `RateLimitConfig`, `ContentIsolationConfig`, `QuarantineConfig`, `ExfiltrationGuardConfig`, `PiiFilterConfig`, `CustomPiiPattern`, `MemoryWriteValidationConfig`, `GuardrailConfig`, `GuardrailAction`, `GuardrailFailStrategy`, `PermissionMode`, `MemoryScope`, `ToolPolicy`, `SkillFilter`, `HookDef`, `HookType`, `HookMatcher`, `SubagentHooks`, `DumpFormat`, and all other pure-data config types

Cargo.toml

@@ -127,6 +127,7 @@ zeph-scheduler = { path = "crates/zeph-scheduler", version = "0.15.3" }
 zeph-skills = { path = "crates/zeph-skills", version = "0.15.3" }
 zeph-tools = { path = "crates/zeph-tools", version = "0.15.3" }
 zeph-tui = { path = "crates/zeph-tui", version = "0.15.3" }
+zeph-vault = { path = "crates/zeph-vault", version = "0.15.3" }
 
 [workspace.lints.rust]
 unsafe_code = "deny"

crates/zeph-core/Cargo.toml

@@ -19,14 +19,14 @@ compression-guidelines = ["zeph-memory/compression-guidelines", "zeph-config/com
 cuda = ["zeph-llm/cuda"]
 experiments = ["dep:ordered-float", "zeph-memory/experiments", "zeph-config/experiments"]
 guardrail = ["zeph-config/guardrail"]
-metal = ["zeph-llm/metal"]
 lsp-context = ["zeph-config/lsp-context"]
+metal = ["zeph-llm/metal"]
+mock = ["zeph-vault/mock"]
 policy-enforcer = ["zeph-tools/policy-enforcer", "zeph-config/policy-enforcer"]
 scheduler = []
 context-compression = []
 
 [dependencies]
-age.workspace = true
 async-trait.workspace = true
 base64.workspace = true
 blake3.workspace = true
@@ -56,20 +56,21 @@ tree-sitter.workspace = true
 uuid = { workspace = true, features = ["v4", "serde"] }
 zeph-common.workspace = true
 zeph-config.workspace = true
+zeph-vault.workspace = true
 zeph-index.workspace = true
 zeph-llm.workspace = true
 zeph-memory.workspace = true
 zeph-mcp.workspace = true
 zeph-skills.workspace = true
 zeph-tools.workspace = true
-zeroize = { workspace = true, features = ["derive", "serde"] }
 # See https://github.com/bug-ops/zeph (workspace dependencies only contain versions)
 
 [[bench]]
 name = "context_building"
 harness = false
 
 [dev-dependencies]
+age.workspace = true
 criterion.workspace = true
 rmcp.workspace = true
 indoc.workspace = true
@@ -81,6 +82,7 @@ sqlx.workspace = true
 tempfile.workspace = true
 zeph-llm.workspace = true
 zeph-memory.workspace = true
+zeph-vault = { workspace = true, features = ["mock"] }
 
 [lints]
 workspace = true

crates/zeph-core/src/config/mod.rs → crates/zeph-core/src/config.rs

@@ -1,35 +1,27 @@
 // SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
 // SPDX-License-Identifier: MIT OR Apache-2.0
 
-// Config is defined in zeph-config. Inherent impls (load, validate, env overrides,
-// normalize_legacy_runtime_defaults) live there. Only trait impls (SecretResolver)
-// can be added here due to Rust orphan rules.
-pub mod migrate {
-    pub use zeph_config::migrate::*;
-}
-
-#[cfg(test)]
-mod tests;
+//! Extension trait for resolving vault secrets into a Config.
+//!
+//! This trait is defined in zeph-core (not in zeph-config) due to Rust's orphan rule:
+//! implementing a foreign trait on a foreign type requires the trait to be defined locally.
 
-pub use zeph_config::{Config, ConfigError, ResolvedSecrets};
-pub use zeph_tools::AutonomyLevel;
-
-// Re-export all previously available types so downstream users see no change.
+// Re-export Config types from zeph-config for internal use.
 pub use zeph_config::{
     AcpConfig, AcpLspConfig, AcpTransport, AgentConfig, CandleConfig, CascadeClassifierMode,
     CascadeConfig, CloudLlmConfig, CompatibleConfig, CompressionConfig, CompressionStrategy,
-    CostConfig, DaemonConfig, DebugConfig, DetectorMode, DiscordConfig, DocumentConfig, DumpFormat,
-    ExperimentConfig, ExperimentSchedule, FocusConfig, GatewayConfig, GeminiConfig,
-    GenerationParams, GraphConfig, HookDef, HookMatcher, HookType, IndexConfig, LearningConfig,
-    LlmConfig, LogRotation, LoggingConfig, MAX_TOKENS_CAP, McpConfig, McpOAuthConfig,
-    McpServerConfig, MemoryConfig, MemoryScope, NoteLinkingConfig, OAuthTokenStorage,
-    ObservabilityConfig, OllamaConfig, OpenAiConfig, OrchestrationConfig, OrchestratorConfig,
-    OrchestratorProviderConfig, PermissionMode, ProviderKind, PruningStrategy, RateLimitConfig,
-    RouterConfig, RouterStrategyConfig, RoutingConfig, RoutingStrategy, ScheduledTaskConfig,
-    ScheduledTaskKind, SchedulerConfig, SecurityConfig, SemanticConfig, SessionsConfig,
-    SidequestConfig, SkillFilter, SkillPromptMode, SkillsConfig, SlackConfig, SttConfig,
-    SubAgentConfig, SubAgentLifecycleHooks, SubagentHooks, TelegramConfig, TimeoutConfig,
-    ToolPolicy, TraceConfig, TrustConfig, TuiConfig, VaultConfig, VectorBackend,
+    Config, ConfigError, CostConfig, DaemonConfig, DebugConfig, DetectorMode, DiscordConfig,
+    DocumentConfig, DumpFormat, ExperimentConfig, ExperimentSchedule, FocusConfig, GatewayConfig,
+    GeminiConfig, GenerationParams, GraphConfig, HookDef, HookMatcher, HookType, IndexConfig,
+    LearningConfig, LlmConfig, LogRotation, LoggingConfig, MAX_TOKENS_CAP, McpConfig,
+    McpOAuthConfig, McpServerConfig, MemoryConfig, MemoryScope, NoteLinkingConfig,
+    OAuthTokenStorage, ObservabilityConfig, OllamaConfig, OpenAiConfig, OrchestrationConfig,
+    OrchestratorConfig, OrchestratorProviderConfig, PermissionMode, ProviderKind, PruningStrategy,
+    RateLimitConfig, ResolvedSecrets, RouterConfig, RouterStrategyConfig, RoutingConfig,
+    RoutingStrategy, ScheduledTaskConfig, ScheduledTaskKind, SchedulerConfig, SecurityConfig,
+    SemanticConfig, SessionsConfig, SidequestConfig, SkillFilter, SkillPromptMode, SkillsConfig,
+    SlackConfig, SttConfig, SubAgentConfig, SubAgentLifecycleHooks, SubagentHooks, TelegramConfig,
+    TimeoutConfig, ToolPolicy, TraceConfig, TrustConfig, TuiConfig, VaultConfig, VectorBackend,
 };
 
 #[cfg(feature = "lsp-context")]
@@ -54,7 +46,11 @@ pub use zeph_config::{
 
 pub use zeph_config::providers::{default_stt_language, default_stt_model, default_stt_provider};
 
-use crate::vault::VaultProvider;
+pub mod migrate {
+    pub use zeph_config::migrate::*;
+}
+
+use crate::vault::{Secret, VaultProvider};
 
 /// Extension trait for resolving vault secrets into a [`Config`].
 ///
@@ -74,8 +70,6 @@ pub trait SecretResolver {
 
 impl SecretResolver for Config {
     async fn resolve_secrets(&mut self, vault: &dyn VaultProvider) -> Result<(), ConfigError> {
-        use crate::vault::Secret;
-
         if let Some(val) = vault.get_secret("ZEPH_CLAUDE_API_KEY").await? {
             self.secrets.claude_api_key = Some(Secret::new(val));
         }
@@ -154,3 +148,29 @@ impl SecretResolver for Config {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    #[cfg(any(test, feature = "mock"))]
+    async fn resolve_secrets_with_mock_vault() {
+        use crate::vault::MockVaultProvider;
+
+        let vault = MockVaultProvider::new()
+            .with_secret("ZEPH_CLAUDE_API_KEY", "sk-test-123")
+            .with_secret("ZEPH_TELEGRAM_TOKEN", "tg-token-456");
+
+        let mut config = Config::load(std::path::Path::new("/nonexistent/config.toml")).unwrap();
+        config.resolve_secrets(&vault).await.unwrap();
+
+        assert_eq!(
+            config.secrets.claude_api_key.as_ref().unwrap().expose(),
+            "sk-test-123"
+        );
+        if let Some(tg) = config.telegram {
+            assert_eq!(tg.token.as_deref(), Some("tg-token-456"));
+        }
+    }
+}