Secrets
User-facing security module name reserved while plaintext-secrets remains the active implementation.
Get notified when Secrets ships.
We'll email you exactly once when the runtime is production-ready. No newsletter, no marketing follow-ups.
What Secrets does
Secrets is the one module we deliberately don't ship today. The reason is simple: secrets management is the part of the stack you absolutely do not want to get wrong on a v1. We're holding it back until the 1Password integration, the rotation flow, and the notarization story are all production-tested.
When it lands, Secrets will track references — never the secret material — to entries in 1Password vaults, surface findings from a periodic codebase scan (AWS keys, GitHub tokens, JWTs, generic high-entropy strings), and emit a tamper-evident audit record per rotation. The wire-protocol contract is final; only the runtime implementation is still in review.
Wire payload
Same shape, three syntaxesThe wire protocol is plain HTTP, plain JSON, HMAC-SHA256. The TypeScript tab uses the SDK; the cURL tab is the raw HTTP equivalent; the Python tab shows the preview SDK shape.
// Coming soon — runtime currently in review.
// The wire-protocol contract below is final.
await cuitty.emit({
type: "secret_finding",
timestamp: new Date().toISOString(),
data: {
file: "src/legacy/aws.ts",
line: 42,
type: "AWS Access Key",
severity: "high",
match: "AKIA***************",
},
});
Database schema
Excerpt from observe/modules/secrets/schema.sql.
One libSQL file per module — back it up with cp.
-- IMPORTANT: actual secret values are NEVER stored.
-- Only references to 1Password are persisted.
CREATE TABLE IF NOT EXISTS secret_references (
id INTEGER PRIMARY KEY AUTOINCREMENT,
project_id TEXT NOT NULL,
key TEXT NOT NULL,
onepassword_item_id TEXT NOT NULL,
vault_id TEXT NOT NULL,
field_name TEXT,
description TEXT,
last_synced INTEGER,
sync_status TEXT DEFAULT 'pending',
created_at INTEGER DEFAULT (unixepoch()),
UNIQUE(project_id, key)
);