feat(vault): VaultCodec pipeline, 5 cache backends, 3 service transports (Issue #79)#98
Merged
eterna2 merged 6 commits intorelease/v0.4.0from Apr 25, 2026
Merged
Conversation
- VaultCodec: optional composable pipeline (compress → encrypt at rest) - ZlibCompressor, GzipCompressor (stdlib); LZ4Compressor, ZstdCompressor (extras) - AES256GCMEncryptor (AES-256-GCM, random nonce per call), FernetEncryptor - HandleVault gains optional codec= parameter; no-op when not set - Cache Backends: - SQLiteCache (stdlib): ACID, in-memory or persistent file, thread-safe - LMDBCache (kest[lmdb]): memory-mapped B+tree, fastest reads - CachetoolsCache (kest[cachetools]): pure-Python LRU or TTL cache - RedisCache (kest[redis]): RESP-protocol; also compatible with KeyDB - ValkeyCache (kest[valkey]): Valkey RESP-protocol; Linux Foundation fork - Vault Service Transports (all stdlib, no extra deps): - VaultHTTPServer: REST/JSON over HTTP (POST/GET/DELETE endpoints) - VaultRPCServer: XML-RPC with fault-mapped typed vault errors - VaultSocketServer: JSON-RPC 2.0 over TCP or Unix domain socket - VaultClient: unified client factory (.http(), .rpc(), .socket()) - New optional extras: lmdb, cachetools, redis, valkey, lz4, zstd - Dev deps: cachetools, fakeredis (for testing) - All symbols exported from kest.core public API - 344 unit tests passing (9 skipped for optional deps) - README and CHANGELOG updated Closes #79
Medical records agent scenario with two MCP servers: - server_patient_records.py: Patient PII sealed into HandleVault on every lookup; agent receives only opaque handles + non-sensitive safe_views. Encryption at rest: ZlibCompressor → AES256GCMEncryptor. Privileged resolve_handle tool for gateway-only ACL-protected unseal. - server_pharmacy.py: Non-sensitive drug info + interaction checking. No vault needed — shows the contrast with sensitive data boundaries. - agent.py: Orchestrates both MCP servers via stdio subprocesses. Composes treatment summary using only safe_views and pharmacy data. Gateway demo resolves all handles with ACL enforcement; attacker principal correctly receives HandleAccessDeniedError. Demonstrates: - Zero-trust data boundary: PII never crosses into agent memory - VaultCodec: compress + encrypt at rest - Pluggable principals: owner + granted_principals ACL model - ACL enforcement: attacker SPIFFE ID rejected at unseal time - Non-sensitive safe_view: safe for LLM context windows
- gateway.py: standalone module with run_gateway_audit(session, agent_result) and _audit_handles() for CLI use. Supports both import-from-agent and direct CLI invocation: uv run python gateway.py hdl_<id> [hdl_<id> ...] - agent.py: imports run_gateway_audit from gateway.py (no duplicate logic) ACL enforcement demo: agent + attacker both correctly denied at unseal
…ration
gateway_api.py — FastAPI gateway sitting in front of the patient-records
MCP server, demonstrating HandleVault integration in a real HTTP service:
Endpoints:
GET /health — liveness check
GET /tokens — [demo] issue HS256 JWTs for testing
GET /patient/{id} — agent-tier: handle_id + safe_view (auth required)
GET /patient/{id}/rx — agent-tier: prescription handles (auth required)
GET /safe-view/{handle_id} — public: safe_view, no auth needed
GET /resolve/{handle_id} — GATEWAY ONLY: unseals vault → raw PII
Auth model:
• JWT Bearer (HS256); 'principal' claim maps to SPIFFE identity
• /resolve enforces gateway principal; agent token → HTTP 403
• Vault ACL also enforces at the MCP layer (double defence)
Integration:
• Single long-lived MCP stdio session per gateway process (lifespan)
• Swagger UI auto-generated at /docs
Verified:
✓ agent token → /patient/P-001 returns handle + safe_view (200)
✓ /safe-view/{hdl} returns safe_view with no auth (200)
✓ agent token → /resolve/{hdl} → HTTP 403 (principal mismatch)
✓ gateway token → /resolve/{hdl} → raw PII with audit note (200)
✓ /patient/P-001/rx → 2 prescription handles (200)
Adds kest.core.integrations.fastapi — a zero-dependency-by-default plugin
that wires HandleVault into FastAPI with one import.
Public API:
- VaultRouter(vault, extractor, gateway_principals) — drop-in APIRouter
with GET /safe-view/{handle_id} (public) and GET /resolve/{handle_id}
(gateway-only) routes.
- VaultDependency(vault, extractor) — FastAPI Depends()-compatible callable
that unseals handles with full ACL enforcement (403/404/410).
- JWTPrincipalExtractor(secret, algorithm, claim) — HS256/RSA/EC JWT bearer extractor.
- HeaderPrincipalExtractor(header_name) — plain-header extractor for proxies/sidecars.
- PrincipalExtractor — base class; implement async extract(request)->str for custom auth.
- vault_seal_response(...) — convenience helper returning a HandleResponse TypedDict.
Design:
- FastAPI/jose imports are lazy; kest.core remains importable without extras.
- Symbols hoisted into kest.core.__init__ under try/except ImportError.
- Request type annotation injected into route handlers at router build-time to
work around from __future__ import annotations stringification + FastAPI DI.
Testing:
- 13 tests via httpx.AsyncClient+ASGITransport (no live server).
- All 357 unit tests pass.
Closes part of #79.
…ckfile - kest/core/integrations/__init__.py — makes integrations a package - kest/core/integrations/fastapi/__init__.py — public re-exports - kest/core/integrations/fastapi/_plugin_test.py — 13-test suite - pyproject.toml — fastapi optional extra + dev deps - uv.lock — updated lockfile
eterna2
force-pushed
the
feat/vault-backends-services
branch
from
be33735 to
9f6e140
Compare
eterna2
added a commit
that referenced
this pull request
Apr 25, 2026
…rts (Issue #79) (#98) * feat(vault): add VaultCodec, 5 cache backends, and 3 service transports - VaultCodec: optional composable pipeline (compress → encrypt at rest) - ZlibCompressor, GzipCompressor (stdlib); LZ4Compressor, ZstdCompressor (extras) - AES256GCMEncryptor (AES-256-GCM, random nonce per call), FernetEncryptor - HandleVault gains optional codec= parameter; no-op when not set - Cache Backends: - SQLiteCache (stdlib): ACID, in-memory or persistent file, thread-safe - LMDBCache (kest[lmdb]): memory-mapped B+tree, fastest reads - CachetoolsCache (kest[cachetools]): pure-Python LRU or TTL cache - RedisCache (kest[redis]): RESP-protocol; also compatible with KeyDB - ValkeyCache (kest[valkey]): Valkey RESP-protocol; Linux Foundation fork - Vault Service Transports (all stdlib, no extra deps): - VaultHTTPServer: REST/JSON over HTTP (POST/GET/DELETE endpoints) - VaultRPCServer: XML-RPC with fault-mapped typed vault errors - VaultSocketServer: JSON-RPC 2.0 over TCP or Unix domain socket - VaultClient: unified client factory (.http(), .rpc(), .socket()) - New optional extras: lmdb, cachetools, redis, valkey, lz4, zstd - Dev deps: cachetools, fakeredis (for testing) - All symbols exported from kest.core public API - 344 unit tests passing (9 skipped for optional deps) - README and CHANGELOG updated Closes #79 * showcase(vault): realistic MCP agent demo for HandleVault + OpaqueHandle Medical records agent scenario with two MCP servers: - server_patient_records.py: Patient PII sealed into HandleVault on every lookup; agent receives only opaque handles + non-sensitive safe_views. Encryption at rest: ZlibCompressor → AES256GCMEncryptor. Privileged resolve_handle tool for gateway-only ACL-protected unseal. - server_pharmacy.py: Non-sensitive drug info + interaction checking. No vault needed — shows the contrast with sensitive data boundaries. - agent.py: Orchestrates both MCP servers via stdio subprocesses. Composes treatment summary using only safe_views and pharmacy data. Gateway demo resolves all handles with ACL enforcement; attacker principal correctly receives HandleAccessDeniedError. Demonstrates: - Zero-trust data boundary: PII never crosses into agent memory - VaultCodec: compress + encrypt at rest - Pluggable principals: owner + granted_principals ACL model - ACL enforcement: attacker SPIFFE ID rejected at unseal time - Non-sensitive safe_view: safe for LLM context windows * showcase(vault): extract gateway.py as standalone privileged auditor - gateway.py: standalone module with run_gateway_audit(session, agent_result) and _audit_handles() for CLI use. Supports both import-from-agent and direct CLI invocation: uv run python gateway.py hdl_<id> [hdl_<id> ...] - agent.py: imports run_gateway_audit from gateway.py (no duplicate logic) ACL enforcement demo: agent + attacker both correctly denied at unseal * showcase(vault): add FastAPI HTTP gateway with JWT auth + vault integration gateway_api.py — FastAPI gateway sitting in front of the patient-records MCP server, demonstrating HandleVault integration in a real HTTP service: Endpoints: GET /health — liveness check GET /tokens — [demo] issue HS256 JWTs for testing GET /patient/{id} — agent-tier: handle_id + safe_view (auth required) GET /patient/{id}/rx — agent-tier: prescription handles (auth required) GET /safe-view/{handle_id} — public: safe_view, no auth needed GET /resolve/{handle_id} — GATEWAY ONLY: unseals vault → raw PII Auth model: • JWT Bearer (HS256); 'principal' claim maps to SPIFFE identity • /resolve enforces gateway principal; agent token → HTTP 403 • Vault ACL also enforces at the MCP layer (double defence) Integration: • Single long-lived MCP stdio session per gateway process (lifespan) • Swagger UI auto-generated at /docs Verified: ✓ agent token → /patient/P-001 returns handle + safe_view (200) ✓ /safe-view/{hdl} returns safe_view with no auth (200) ✓ agent token → /resolve/{hdl} → HTTP 403 (principal mismatch) ✓ gateway token → /resolve/{hdl} → raw PII with audit note (200) ✓ /patient/P-001/rx → 2 prescription handles (200) * feat(kest-core): FastAPI integration plugin (kest[fastapi]) Adds kest.core.integrations.fastapi — a zero-dependency-by-default plugin that wires HandleVault into FastAPI with one import. Public API: - VaultRouter(vault, extractor, gateway_principals) — drop-in APIRouter with GET /safe-view/{handle_id} (public) and GET /resolve/{handle_id} (gateway-only) routes. - VaultDependency(vault, extractor) — FastAPI Depends()-compatible callable that unseals handles with full ACL enforcement (403/404/410). - JWTPrincipalExtractor(secret, algorithm, claim) — HS256/RSA/EC JWT bearer extractor. - HeaderPrincipalExtractor(header_name) — plain-header extractor for proxies/sidecars. - PrincipalExtractor — base class; implement async extract(request)->str for custom auth. - vault_seal_response(...) — convenience helper returning a HandleResponse TypedDict. Design: - FastAPI/jose imports are lazy; kest.core remains importable without extras. - Symbols hoisted into kest.core.__init__ under try/except ImportError. - Request type annotation injected into route handlers at router build-time to work around from __future__ import annotations stringification + FastAPI DI. Testing: - 13 tests via httpx.AsyncClient+ASGITransport (no live server). - All 357 unit tests pass. Closes part of #79. * chore(kest-core): add fastapi integration package files and update lockfile - kest/core/integrations/__init__.py — makes integrations a package - kest/core/integrations/fastapi/__init__.py — public re-exports - kest/core/integrations/fastapi/_plugin_test.py — 13-test suite - pyproject.toml — fastapi optional extra + dev deps - uv.lock — updated lockfile
eterna2
added a commit
that referenced
this pull request
Apr 25, 2026
…rts (Issue #79) (#98) * feat(vault): add VaultCodec, 5 cache backends, and 3 service transports - VaultCodec: optional composable pipeline (compress → encrypt at rest) - ZlibCompressor, GzipCompressor (stdlib); LZ4Compressor, ZstdCompressor (extras) - AES256GCMEncryptor (AES-256-GCM, random nonce per call), FernetEncryptor - HandleVault gains optional codec= parameter; no-op when not set - Cache Backends: - SQLiteCache (stdlib): ACID, in-memory or persistent file, thread-safe - LMDBCache (kest[lmdb]): memory-mapped B+tree, fastest reads - CachetoolsCache (kest[cachetools]): pure-Python LRU or TTL cache - RedisCache (kest[redis]): RESP-protocol; also compatible with KeyDB - ValkeyCache (kest[valkey]): Valkey RESP-protocol; Linux Foundation fork - Vault Service Transports (all stdlib, no extra deps): - VaultHTTPServer: REST/JSON over HTTP (POST/GET/DELETE endpoints) - VaultRPCServer: XML-RPC with fault-mapped typed vault errors - VaultSocketServer: JSON-RPC 2.0 over TCP or Unix domain socket - VaultClient: unified client factory (.http(), .rpc(), .socket()) - New optional extras: lmdb, cachetools, redis, valkey, lz4, zstd - Dev deps: cachetools, fakeredis (for testing) - All symbols exported from kest.core public API - 344 unit tests passing (9 skipped for optional deps) - README and CHANGELOG updated Closes #79 * showcase(vault): realistic MCP agent demo for HandleVault + OpaqueHandle Medical records agent scenario with two MCP servers: - server_patient_records.py: Patient PII sealed into HandleVault on every lookup; agent receives only opaque handles + non-sensitive safe_views. Encryption at rest: ZlibCompressor → AES256GCMEncryptor. Privileged resolve_handle tool for gateway-only ACL-protected unseal. - server_pharmacy.py: Non-sensitive drug info + interaction checking. No vault needed — shows the contrast with sensitive data boundaries. - agent.py: Orchestrates both MCP servers via stdio subprocesses. Composes treatment summary using only safe_views and pharmacy data. Gateway demo resolves all handles with ACL enforcement; attacker principal correctly receives HandleAccessDeniedError. Demonstrates: - Zero-trust data boundary: PII never crosses into agent memory - VaultCodec: compress + encrypt at rest - Pluggable principals: owner + granted_principals ACL model - ACL enforcement: attacker SPIFFE ID rejected at unseal time - Non-sensitive safe_view: safe for LLM context windows * showcase(vault): extract gateway.py as standalone privileged auditor - gateway.py: standalone module with run_gateway_audit(session, agent_result) and _audit_handles() for CLI use. Supports both import-from-agent and direct CLI invocation: uv run python gateway.py hdl_<id> [hdl_<id> ...] - agent.py: imports run_gateway_audit from gateway.py (no duplicate logic) ACL enforcement demo: agent + attacker both correctly denied at unseal * showcase(vault): add FastAPI HTTP gateway with JWT auth + vault integration gateway_api.py — FastAPI gateway sitting in front of the patient-records MCP server, demonstrating HandleVault integration in a real HTTP service: Endpoints: GET /health — liveness check GET /tokens — [demo] issue HS256 JWTs for testing GET /patient/{id} — agent-tier: handle_id + safe_view (auth required) GET /patient/{id}/rx — agent-tier: prescription handles (auth required) GET /safe-view/{handle_id} — public: safe_view, no auth needed GET /resolve/{handle_id} — GATEWAY ONLY: unseals vault → raw PII Auth model: • JWT Bearer (HS256); 'principal' claim maps to SPIFFE identity • /resolve enforces gateway principal; agent token → HTTP 403 • Vault ACL also enforces at the MCP layer (double defence) Integration: • Single long-lived MCP stdio session per gateway process (lifespan) • Swagger UI auto-generated at /docs Verified: ✓ agent token → /patient/P-001 returns handle + safe_view (200) ✓ /safe-view/{hdl} returns safe_view with no auth (200) ✓ agent token → /resolve/{hdl} → HTTP 403 (principal mismatch) ✓ gateway token → /resolve/{hdl} → raw PII with audit note (200) ✓ /patient/P-001/rx → 2 prescription handles (200) * feat(kest-core): FastAPI integration plugin (kest[fastapi]) Adds kest.core.integrations.fastapi — a zero-dependency-by-default plugin that wires HandleVault into FastAPI with one import. Public API: - VaultRouter(vault, extractor, gateway_principals) — drop-in APIRouter with GET /safe-view/{handle_id} (public) and GET /resolve/{handle_id} (gateway-only) routes. - VaultDependency(vault, extractor) — FastAPI Depends()-compatible callable that unseals handles with full ACL enforcement (403/404/410). - JWTPrincipalExtractor(secret, algorithm, claim) — HS256/RSA/EC JWT bearer extractor. - HeaderPrincipalExtractor(header_name) — plain-header extractor for proxies/sidecars. - PrincipalExtractor — base class; implement async extract(request)->str for custom auth. - vault_seal_response(...) — convenience helper returning a HandleResponse TypedDict. Design: - FastAPI/jose imports are lazy; kest.core remains importable without extras. - Symbols hoisted into kest.core.__init__ under try/except ImportError. - Request type annotation injected into route handlers at router build-time to work around from __future__ import annotations stringification + FastAPI DI. Testing: - 13 tests via httpx.AsyncClient+ASGITransport (no live server). - All 357 unit tests pass. Closes part of #79. * chore(kest-core): add fastapi integration package files and update lockfile - kest/core/integrations/__init__.py — makes integrations a package - kest/core/integrations/fastapi/__init__.py — public re-exports - kest/core/integrations/fastapi/_plugin_test.py — 13-test suite - pyproject.toml — fastapi optional extra + dev deps - uv.lock — updated lockfile
eterna2
added a commit
that referenced
this pull request
Apr 25, 2026
…rts (Issue #79) (#98) * feat(vault): add VaultCodec, 5 cache backends, and 3 service transports - VaultCodec: optional composable pipeline (compress → encrypt at rest) - ZlibCompressor, GzipCompressor (stdlib); LZ4Compressor, ZstdCompressor (extras) - AES256GCMEncryptor (AES-256-GCM, random nonce per call), FernetEncryptor - HandleVault gains optional codec= parameter; no-op when not set - Cache Backends: - SQLiteCache (stdlib): ACID, in-memory or persistent file, thread-safe - LMDBCache (kest[lmdb]): memory-mapped B+tree, fastest reads - CachetoolsCache (kest[cachetools]): pure-Python LRU or TTL cache - RedisCache (kest[redis]): RESP-protocol; also compatible with KeyDB - ValkeyCache (kest[valkey]): Valkey RESP-protocol; Linux Foundation fork - Vault Service Transports (all stdlib, no extra deps): - VaultHTTPServer: REST/JSON over HTTP (POST/GET/DELETE endpoints) - VaultRPCServer: XML-RPC with fault-mapped typed vault errors - VaultSocketServer: JSON-RPC 2.0 over TCP or Unix domain socket - VaultClient: unified client factory (.http(), .rpc(), .socket()) - New optional extras: lmdb, cachetools, redis, valkey, lz4, zstd - Dev deps: cachetools, fakeredis (for testing) - All symbols exported from kest.core public API - 344 unit tests passing (9 skipped for optional deps) - README and CHANGELOG updated Closes #79 * showcase(vault): realistic MCP agent demo for HandleVault + OpaqueHandle Medical records agent scenario with two MCP servers: - server_patient_records.py: Patient PII sealed into HandleVault on every lookup; agent receives only opaque handles + non-sensitive safe_views. Encryption at rest: ZlibCompressor → AES256GCMEncryptor. Privileged resolve_handle tool for gateway-only ACL-protected unseal. - server_pharmacy.py: Non-sensitive drug info + interaction checking. No vault needed — shows the contrast with sensitive data boundaries. - agent.py: Orchestrates both MCP servers via stdio subprocesses. Composes treatment summary using only safe_views and pharmacy data. Gateway demo resolves all handles with ACL enforcement; attacker principal correctly receives HandleAccessDeniedError. Demonstrates: - Zero-trust data boundary: PII never crosses into agent memory - VaultCodec: compress + encrypt at rest - Pluggable principals: owner + granted_principals ACL model - ACL enforcement: attacker SPIFFE ID rejected at unseal time - Non-sensitive safe_view: safe for LLM context windows * showcase(vault): extract gateway.py as standalone privileged auditor - gateway.py: standalone module with run_gateway_audit(session, agent_result) and _audit_handles() for CLI use. Supports both import-from-agent and direct CLI invocation: uv run python gateway.py hdl_<id> [hdl_<id> ...] - agent.py: imports run_gateway_audit from gateway.py (no duplicate logic) ACL enforcement demo: agent + attacker both correctly denied at unseal * showcase(vault): add FastAPI HTTP gateway with JWT auth + vault integration gateway_api.py — FastAPI gateway sitting in front of the patient-records MCP server, demonstrating HandleVault integration in a real HTTP service: Endpoints: GET /health — liveness check GET /tokens — [demo] issue HS256 JWTs for testing GET /patient/{id} — agent-tier: handle_id + safe_view (auth required) GET /patient/{id}/rx — agent-tier: prescription handles (auth required) GET /safe-view/{handle_id} — public: safe_view, no auth needed GET /resolve/{handle_id} — GATEWAY ONLY: unseals vault → raw PII Auth model: • JWT Bearer (HS256); 'principal' claim maps to SPIFFE identity • /resolve enforces gateway principal; agent token → HTTP 403 • Vault ACL also enforces at the MCP layer (double defence) Integration: • Single long-lived MCP stdio session per gateway process (lifespan) • Swagger UI auto-generated at /docs Verified: ✓ agent token → /patient/P-001 returns handle + safe_view (200) ✓ /safe-view/{hdl} returns safe_view with no auth (200) ✓ agent token → /resolve/{hdl} → HTTP 403 (principal mismatch) ✓ gateway token → /resolve/{hdl} → raw PII with audit note (200) ✓ /patient/P-001/rx → 2 prescription handles (200) * feat(kest-core): FastAPI integration plugin (kest[fastapi]) Adds kest.core.integrations.fastapi — a zero-dependency-by-default plugin that wires HandleVault into FastAPI with one import. Public API: - VaultRouter(vault, extractor, gateway_principals) — drop-in APIRouter with GET /safe-view/{handle_id} (public) and GET /resolve/{handle_id} (gateway-only) routes. - VaultDependency(vault, extractor) — FastAPI Depends()-compatible callable that unseals handles with full ACL enforcement (403/404/410). - JWTPrincipalExtractor(secret, algorithm, claim) — HS256/RSA/EC JWT bearer extractor. - HeaderPrincipalExtractor(header_name) — plain-header extractor for proxies/sidecars. - PrincipalExtractor — base class; implement async extract(request)->str for custom auth. - vault_seal_response(...) — convenience helper returning a HandleResponse TypedDict. Design: - FastAPI/jose imports are lazy; kest.core remains importable without extras. - Symbols hoisted into kest.core.__init__ under try/except ImportError. - Request type annotation injected into route handlers at router build-time to work around from __future__ import annotations stringification + FastAPI DI. Testing: - 13 tests via httpx.AsyncClient+ASGITransport (no live server). - All 357 unit tests pass. Closes part of #79. * chore(kest-core): add fastapi integration package files and update lockfile - kest/core/integrations/__init__.py — makes integrations a package - kest/core/integrations/fastapi/__init__.py — public re-exports - kest/core/integrations/fastapi/_plugin_test.py — 13-test suite - pyproject.toml — fastapi optional extra + dev deps - uv.lock — updated lockfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #79
This PR implements the full Data Vault expansion requested in Issue #79:
VaultCodec — Encryption & Compression Pipeline
ZlibCompressor,GzipCompressor(stdlib);LZ4Compressor(kest[lz4]),ZstdCompressor(kest[zstd])AES256GCMEncryptor(AES-256-GCM, random nonce per call),FernetEncryptorHandleVault(codec=VaultCodec(...)))— no-op when codec is not setPluggable Cache Backends (5 implementations)
SQLiteCacheLMDBCachekest[lmdb]CachetoolsCachekest[cachetools]RedisCachekest[redis]ValkeyCachekest[valkey]Vault Service Transports (all stdlib)
VaultHTTPServer— REST/JSON (HTTP); endpoints: POST /handles, POST /handles/{id}/unseal, DELETE /handles/{id}, GET /handles/{id}/safe_viewVaultRPCServer— XML-RPC; faults mapped to typed vault errorsVaultSocketServer— JSON-RPC 2.0 over TCP or Unix socket; 4-byte length-framingVaultClient— unified factory:.http(),.rpc(),.socket()Testing
threading.Lockreplacing per-threadthreading.local)fakeredis(no live server required)Documentation
@kest_verifiedintegration