{"id":50983987,"url":"https://github.com/valkyoth/lykilheim","last_synced_at":"2026-06-19T17:03:55.551Z","repository":{"id":361402670,"uuid":"1254176688","full_name":"valkyoth/lykilheim","owner":"valkyoth","description":null,"archived":false,"fork":false,"pushed_at":"2026-05-30T13:18:51.000Z","size":55,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-30T14:16:32.287Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"eupl-1.2","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/valkyoth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["eldryoth"],"thanks_dev":"u/gh/eldryoth"}},"created_at":"2026-05-30T08:28:24.000Z","updated_at":"2026-05-30T13:18:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/valkyoth/lykilheim","commit_stats":null,"previous_names":["valkyoth/lykilheim"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/valkyoth/lykilheim","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/valkyoth%2Flykilheim","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/valkyoth%2Flykilheim/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/valkyoth%2Flykilheim/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/valkyoth%2Flykilheim/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/valkyoth","download_url":"https://codeload.github.com/valkyoth/lykilheim/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/valkyoth%2Flykilheim/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34540570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-19T02:00:06.005Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-19T17:03:54.659Z","updated_at":"2026-06-19T17:03:55.535Z","avatar_url":"https://github.com/valkyoth.png","language":"Shell","funding_links":["https://github.com/sponsors/eldryoth","https://thanks.dev/u/gh/eldryoth"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cb\u003eRust-native, API-driven secrets manager planned as a secure Vault/OpenBao alternative.\u003c/b\u003e\u003cbr\u003e\n  Memory-safe by design. Auditable by default. Ready for rootless containers.\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"docs/version-plan.md\"\u003eVersion Plan\u003c/a\u003e\n  ·\n  \u003ca href=\"docs/feature-parity.md\"\u003eFeature Parity\u003c/a\u003e\n  ·\n  \u003ca href=\"release-notes\"\u003eRelease Notes\u003c/a\u003e\n  ·\n  \u003ca href=\"SECURITY.md\"\u003eSecurity\u003c/a\u003e\n\u003c/div\u003e\n\n\u003cbr\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./.github/images/lykilheim.webp\" alt=\"Lykilheim overview\"\u003e\n\u003c/p\u003e\n\n# Lykilheim\n\nLykilheim is a planned from-scratch Rust secrets manager inspired by the\noperational model of HashiCorp Vault and OpenBao. The target is a fully\nAPI-driven vault with encrypted storage, fail-closed audit behavior, token and\nlease management, policy enforcement, rootless Wolfi containers, and a clear\npath toward safe extension through native adapters and sandboxed Wasm plugins.\n\nCurrent status: `0.1.0` foundation work. The repository has the first Rust\ncrate, governance, security policy, release notes, a feature-parity audit,\nversioned implementation plan, API-shape docs, and rootless container\nplaceholders.\n\nLykilheim is licensed under the European Union Public Licence 1.2.\n\n## What Exists Today\n\n### Planning And Governance\n\n| Capability | Status | Notes |\n| --- | --- | --- |\n| Version plan | Present | Release ladder from `0.1.0` through `2.0.0`, with STOP gates before every release. |\n| Release notes | Present | One Fluxheim-style release-note file per planned release. |\n| Feature parity audit | Present | Vault/OpenBao coverage tracked as `1.0`, preview, post-1.0, research, or intentionally different. |\n| Security policy | Present | Covers disclosure, dependency policy, crypto posture, and release evidence. |\n| GitHub metadata | Present | Contributing guide, PR template, issue template, Dependabot, CODEOWNERS, and CI bootstrap. |\n| Rust toolchain | Present | Rust `1.96.0` pinned in `rust-toolchain.toml`. |\n| Rust crate | Present | Foundation modules for API, config, errors, audit, crypto, storage, and tests. |\n| Bootstrap checks | Present | `scripts/checks.sh` validates metadata, docs, formatting, clippy, and tests. |\n\n### First Stable Target\n\n| Capability | Status | Target |\n| --- | --- | --- |\n| API-driven init, seal, unseal, health, and version | Planned | `1.0.0` |\n| Encrypted storage barrier | Planned | `1.0.0` |\n| Shamir unseal, rekey, and key rotation | Planned | `1.0.0` |\n| Audit devices with fail-closed behavior | Planned | `1.0.0` |\n| Token engine, leases, renewal, and revocation | Planned | `1.0.0` |\n| Policy engine and capabilities APIs | Planned | `1.0.0` |\n| Identity, aliases, groups, and namespaces base | Planned | `1.0.0` |\n| KV v2, cubbyhole, and response wrapping | Planned | `1.0.0` |\n| AppRole and userpass baseline auth | Planned | `1.0.0` |\n| Transit baseline and PKI baseline | Planned | `1.0.0` |\n| Backup/restore and storage migrations | Planned | `1.0.0` |\n| Standalone binary and rootless Wolfi container | Planned | `1.0.0` |\n\n### Post-1.0 Differentiators\n\n| Capability | Status | Target |\n| --- | --- | --- |\n| Secret inventory | Planned | `1.1.0` |\n| Policy simulator | Planned | `1.1.0` |\n| Dry-run blast-radius mode | Planned | `1.1.0` |\n| Local-first developer mode | Planned | `1.1.0` |\n| Secret leak intake | Planned | `1.2.0` |\n| Rotation readiness scoring | Planned | `1.2.0` |\n| Lifecycle webhooks | Planned | `1.2.0` |\n| Adapter conformance framework | Planned | `1.3.0` |\n| Human approval workflows | Planned | `1.4.0` |\n| Break-glass mode | Planned | `1.4.0` |\n| Tamper-evident audit bundles | Planned | `1.5.0` |\n| Stable Wasm extension platform | Planned | `2.0.0` |\n\n## Why Lykilheim\n\n- **Rust first**: memory-safe implementation with a pinned stable toolchain.\n- **API first**: every operator workflow should be possible through documented\n  APIs; CLI tooling can wrap APIs but should not be the control plane.\n- **Security first**: fail closed where audit, authorization, cryptography, or\n  storage integrity cannot be proven.\n- **Documentation first**: user-facing features, APIs, configuration,\n  deployment paths, and security behavior are not done until they are documented.\n- **Rootless ready**: standalone binary and rootless Wolfi container operation\n  are first-class release gates.\n- **Portable binary**: the standalone server should work on Linux, macOS,\n  Windows, and BSD-style Unix systems; the hardened Wolfi container remains\n  Linux-only.\n- **Parity-aware**: Vault/OpenBao features are tracked explicitly so missing\n  behavior is scheduled, deferred, or intentionally different.\n- **Extensible later**: native adapters come first; sandboxed Wasm plugins are a\n  later major-version goal after review.\n\n## Quick Start\n\nValidate the current bootstrap repository:\n\n```bash\nscripts/checks.sh\n```\n\nRead the implementation plan:\n\n```bash\nsed -n '1,220p' docs/version-plan.md\n```\n\nRead the Vault/OpenBao feature audit:\n\n```bash\nsed -n '1,220p' docs/feature-parity.md\n```\n\nThe normal local checks currently run:\n\n```bash\ncargo fmt --all --check\ncargo clippy --all-targets -- -D warnings\ncargo test\ncargo deny check bans licenses sources\ncargo audit --db target/advisory-db\n```\n\n`cargo-deny` and `cargo-audit` are required for `scripts/checks.sh` once the\nRust crate exists.\n\n## Planned Release Lines\n\nLykilheim does not treat every planned idea as part of `1.0.0`.\n\n- `0.1.0` starts the crate, threat model, checks, and documentation index.\n- `0.2.0` builds sealed storage and the cryptographic barrier.\n- `0.3.0` adds API routing, audit, policy skeleton, mounts, wrapping design,\n  and cubbyhole design.\n- `0.4.0` adds tokens, leases, KV v2, identity, and cubbyhole storage.\n- `0.5.0` adds AppRole and userpass baseline authentication.\n- `0.6.0` adds transit and PKI baseline services.\n- `0.7.0` adds rootless Wolfi operations, backup/restore, and metrics.\n- `0.8.0` adds Raft high-availability preview and replication boundaries.\n- `0.9.0` adds plugin and dynamic adapter preview work.\n- `0.10.0` freezes the `1.0.0` compatibility contract.\n- `1.0.0` is the first stable vault foundation.\n- `1.1.0` through `1.5.0` add operator intelligence, leak response, adapter\n  certification, human approval, and tamper-evident operations.\n- `2.0.0` is the planned sandboxed extension-platform major release.\n\nSee [Version Plan](docs/version-plan.md) for the complete release ladder and\nSTOP gates.\n\n## Adapter Roadmap\n\nLykilheim will use provider-specific adapters behind common engine traits.\nEarly adapters should be compiled into the binary behind explicit Cargo\nfeatures; later adapters may be sandboxed Wasm plugins.\n\n| Adapter family | Initial targets |\n| --- | --- |\n| SQL databases | PostgreSQL, MySQL, MariaDB |\n| Document databases | MongoDB |\n| Multi-model databases | SurrealDB |\n| Cache/key-value services | Redis, Valkey |\n| Message brokers | RabbitMQ |\n| Public cloud providers | AWS, Azure, GCP |\n| European/cloud infrastructure providers | Hetzner, DigitalOcean |\n| Extensible providers | Custom signed Wasm adapters |\n\nEvery adapter must document upstream API calls or statements, minimum\nprivileges, lease behavior, revocation behavior, audit redaction, failure modes,\nand local smoke coverage where practical.\n\n## Documentation\n\n- [Version Plan](docs/version-plan.md)\n- [Documentation Index](docs/index.md)\n- [Architecture](docs/architecture.md)\n- [API Reference](docs/api-reference.md)\n- [Local Development](docs/local-development.md)\n- [Build And Podman](docs/build-and-podman.md)\n- [Release Checklist](docs/release-checklist.md)\n- [Feature-Parity Audit](docs/feature-parity.md)\n- [Security Model](docs/security-model.md)\n- [Portability Policy](docs/portability.md)\n- [Security Policy](SECURITY.md)\n- [Release Notes](release-notes)\n- [Contributing](.github/CONTRIBUTING.md)\n- [Pull Request Template](.github/PULL_REQUEST_TEMPLATE.md)\n- [Issue Template](.github/ISSUE_TEMPLATE/bug_report.yml)\n\nPlanned documentation areas for later implementation releases:\n\n- configuration reference;\n- operator guide;\n- storage and backup/restore guide;\n- audit guide;\n- auth, identity, policy, token, lease, KV v2, cubbyhole, wrapping, transit, and\n  PKI guides;\n- rootless Podman and Wolfi guide;\n- adapter and plugin guides;\n- release checklist and release verification guide.\n\n## Security And Dependency Policy\n\nLykilheim uses or will use:\n\n- pinned Rust stable toolchain;\n- GitHub CI and CodeQL default setup;\n- `cargo deny` for license and dependency policy once the crate exists;\n- `cargo audit` for advisory checks once the crate exists;\n- SBOM and checksum evidence for release artifacts;\n- rootless Podman smoke tests before container releases;\n- explicit STOP gates and pentest/review before every release.\n\nBefore publishing or merging security-sensitive changes:\n\n```bash\nscripts/checks.sh\n```\n\nBefore cutting the `0.1.0` release candidate:\n\n```bash\nscripts/release_0_1_gate.sh\nLYKILHEIM_RELEASE_PODMAN=1 scripts/release_0_1_gate.sh\n```\n\nBuild native standalone release artifacts on each target OS:\n\n```bash\npython3 scripts/build_release_binary.py linux --ref v0.1.0\n```\n\nUse `macos`, `bsd`, or `windows` for the matching host. See\n[docs/release-binaries.md](docs/release-binaries.md). Native ARM hosts are\nsupported; use `--target` only when the build host is prepared for an explicit\nRust target triple. Release artifacts are built only from a matching release\ntag and are named like `lykilheim-0.1.0-linux-x86_64.tar.gz`; use `--os-label`\nfor variants such as `windows11` or `windowsserver2026`.\n\nThe gate writes evidence to `target/release-evidence/0.1.0/`. The focused\npentest scope is documented in\n[docs/pentest-0.1.0.md](docs/pentest-0.1.0.md).\n\nSee [SECURITY.md](SECURITY.md) for vulnerability reporting and release\nsupply-chain expectations.\n\n## License\n\nLykilheim is distributed under the\n[European Union Public Licence v1.2](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvalkyoth%2Flykilheim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvalkyoth%2Flykilheim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvalkyoth%2Flykilheim/lists"}