You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
Transit encryption engine — encrypt/decrypt/sign/verify without exposing keys (encryption-as-a-service)
Seal/unseal mechanism — split-key initialization and auto-unseal via cloud KMS
Policy engine — path-based ACL policies with glob matching and capability sets
Approach
ASB's agent-scoped grants are novel — the innovation is tying secret access to a specific agent run, tool, and capability. But the underlying credential lifecycle machinery (leases, TTLs, renewal, revocation) is well-solved by Vault/OpenBao. Same language, compatible license:
Study OpenBao's lease manager for TTL clamping, renewal, and forced revocation
Port dynamic secret generation patterns for provider credentials
Evaluate transit engine for agent-to-agent secret wrapping (wrapped-artifact delivery)
Borrow policy engine patterns for ASB's capability-policy lookup
Also relevant to evalops/keys — OpenBao's secret engine patterns map directly to credential rotation and validation workflows.
Context
OpenBao (5.8k stars, Go, MPL 2.0) is the community fork of HashiCorp Vault (pre-BSL), hosted by Linux Foundation. Full Vault API compatibility.
What to yoink
Approach
ASB's agent-scoped grants are novel — the innovation is tying secret access to a specific agent run, tool, and capability. But the underlying credential lifecycle machinery (leases, TTLs, renewal, revocation) is well-solved by Vault/OpenBao. Same language, compatible license:
Also relevant to
evalops/keys— OpenBao's secret engine patterns map directly to credential rotation and validation workflows.References
Priority
Tier 2 — Mature credential lifecycle patterns, same language