Skip to content
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
This repository was archived by the owner on Apr 16, 2026. It is now read-only.

Research: Port OpenBao/Vault lease and transit patterns #25

Description

@haasonsaas

Context

OpenBao (5.8k stars, Go, MPL 2.0) is the community fork of HashiCorp Vault (pre-BSL), hosted by Linux Foundation. Full Vault API compatibility.

What to yoink

  • Lease management — TTL-based credential lifecycle with renewal, revocation, and max-TTL clamping
  • Dynamic secrets — generate short-lived credentials on-demand per request (database, cloud provider, PKI)
  • Transit encryption engine — encrypt/decrypt/sign/verify without exposing keys (encryption-as-a-service)
  • Seal/unseal mechanism — split-key initialization and auto-unseal via cloud KMS
  • Policy engine — path-based ACL policies with glob matching and capability sets

Approach

ASB's agent-scoped grants are novel — the innovation is tying secret access to a specific agent run, tool, and capability. But the underlying credential lifecycle machinery (leases, TTLs, renewal, revocation) is well-solved by Vault/OpenBao. Same language, compatible license:

  1. Study OpenBao's lease manager for TTL clamping, renewal, and forced revocation
  2. Port dynamic secret generation patterns for provider credentials
  3. Evaluate transit engine for agent-to-agent secret wrapping (wrapped-artifact delivery)
  4. Borrow policy engine patterns for ASB's capability-policy lookup

Also relevant to evalops/keys — OpenBao's secret engine patterns map directly to credential rotation and validation workflows.

References

Priority

Tier 2 — Mature credential lifecycle patterns, same language

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions