Files
alknet/crates/alknet-vault/src/lib.rs
glm-5.1 80128a56e5 refactor: rename alknet-secret to alknet-vault
Rename the crate from alknet-secret to alknet-vault to better reflect its
purpose as a local key vault (seed management, key derivation, encryption)
rather than a network service.

Symbol renames:
- SecretService → VaultService
- SecretServiceHandle → VaultServiceHandle
- SecretServiceActor → VaultServiceActor
- SecretServiceError → VaultServiceError
- SecretProtocol → VaultProtocol
- SecretMessage → VaultMessage
- ServiceLocked → VaultLocked
- alknet_secret → alknet_vault (crate name)

Update ADR-008 with vault access pattern: the vault is a capability source,
not a service endpoint. The CLI injects derived/decrypted material into
operation contexts — handlers never hold vault references.
2026-06-16 11:10:07 +00:00

49 lines
2.0 KiB
Rust

//! # alknet-vault
//!
//! Local key vault: BIP39 mnemonic generation, SLIP-0010 Ed25519 HD key derivation,
//! AES-256-GCM encryption for securing provider keys, credentials, and identity material.
//!
//! This crate is the only component that holds the master seed phrase. The CLI binary
//! unlocks the vault at startup and injects derived/decrypted material into operation
//! contexts. Other crates never access the vault directly — they receive keys through
//! their operation context or via the call protocol.
//!
//! ## Crate Independence
//!
//! alknet-vault does **not** depend on alknet-core or any other alknet crate. It is
//! fully independent and usable in contexts where QUIC networking doesn't exist (CLI
//! tools, test harnesses, WASM key derivation).
//!
//! ## Security Model
//!
//! The seed phrase is never persisted to disk. It is entered at startup or via
//! `Unlock` and held only in `Zeroize`-protected RAM (ADR-038). `Lock` purges
//! the seed and all cached derived keys.
//!
//! ## Module Organization
//!
//! - [`mnemonic`] — BIP39 mnemonic generation, validation, and seed derivation
//! - [`derivation`] — SLIP-0010 Ed25519 HD key derivation and path constants
//! - [`encryption`] — AES-256-GCM encrypt/decrypt and `EncryptedData` type
//! - [`protocol`] — `VaultProtocol` irpc message enum, `DerivedKey`, `KeyType`
//! - [`service`] — `VaultService` implementation with Unlock/Lock lifecycle
//! - [`ethereum`] — BIP-0032 secp256k1 HD key derivation (behind `secp256k1` feature)
pub mod cache;
pub mod derivation;
pub mod encryption;
pub mod mnemonic;
pub mod protocol;
pub mod service;
#[cfg(feature = "secp256k1")]
pub mod ethereum;
// Re-export primary public API
pub use cache::CacheConfig;
pub use derivation::{DerivationError, ExtendedPrivKey, PATHS};
pub use encryption::{EncryptedData, EncryptionError};
pub use mnemonic::{Language, Mnemonic, Seed};
pub use protocol::{DerivedKey, KeyType, VaultMessage, VaultProtocol};
pub use service::{VaultService, VaultServiceActor, VaultServiceError, VaultServiceHandle};