agentic-research · jamestexas · May 18, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/vault/README.md b/vault/README.md
@@ -28,11 +28,41 @@ If you're integrating against the vault and want a long-term target, prefer **cl
 
 ## entry points
 
-- **`src/worker.ts`** — Worker fetch handler.
-- **`src/vault.ts`** — Vault DO (stores encrypted credentials).
+- **`src/worker.ts`** — Worker fetch handler + `CredentialVault` Durable Object.
+- **`src/vault.ts`** — Pure vault helpers (proxy req shaping, scope check, validation).
 - **`src/crypto.ts`** — Encryption / decryption helpers (HKDF + AES-GCM envelope).
 - **`src/handler.ts`** — Per-route logic.
-- **`src/__tests__/`** — vitest suite (vault, security, adversarial, encryption, worker).
+- **`src/kek-source.ts`** — URL-driven KEK resolver (`env://`, `file://`, `keychain://`, `http(s)://`).
+- **`src/rate-bucket.ts`** — Per-caller token-bucket math (pure functions over `BucketState`).
+- **`src/__tests__/`** — vitest suite (vault, security, adversarial, encryption, kek-source, rate-bucket, worker, worker-do).
+
+## KEK source
+
+The vault DO derives its AES-GCM KEK from a secret resolved via a URL spec in `VAULT_KEK_SOURCE`. Schemes accepted by the current dispatcher (`buildKekSource()` in `src/kek-source.ts`):
+
+| Scheme | Use when | Needs |
+|---|---|---|
+| `env://NAME` | You're fine with a plaintext workerd binding (CI, dev). | nothing |
+| `file:///path` | The secret lives on disk and you've set up a workerd disk service. | `KEK_DISK` binding |
+| `keychain://name` | macOS Keychain (cloister's local-dev posture). | `KEK_HELPER` sidecar |
+| `http(s)://host/...` | Any HTTP backend (use sparingly — secret in transit). | `KEK_HELPER` sidecar |
+
+Workerd is a sandboxed V8 isolate — no `fs`, no `child_process`. `keychain://` and `http(s)://` go through a separate Node sidecar (`scripts/kek-helper.mjs` in cloister) bound as `KEK_HELPER`. See **cloister ADR-0019** for the helper-binary design rationale and the supply-chain analysis (why we don't shell out to `/usr/bin/security` from a worker).
+
+> **Deferred — helper-backed schemes not yet wired:** `secret-tool://` (Linux libsecret), `op://` (1Password), `apple-password://` (macOS Passwords app), `keyring://` (generic cross-platform) all need wiring through `buildKekSource()`'s `HelperKekSource` dispatcher. Tracked as a follow-up to `rosary-54ad76` (see the bead linked from PR #22). Until that lands, configuring these schemes throws at runtime.
+
+Legacy `VAULT_KEK_SECRET` is supported but **deprecated** — set `VAULT_KEK_SOURCE=env://VAULT_KEK_SECRET` (or another scheme) instead. The DO emits a one-time `console.warn` on first derive if the legacy path is in use.
+
+## rate budget
+
+Every authenticated request charges a per-caller token bucket inside the DO (`consumeBudget(sub, costClass)`). Configured in `src/rate-bucket.ts`:
+
+- Capacity: 100 tokens per caller
+- Refill: 10 tokens/sec
+- Cost per request: `read` = 1, `write` = 3, `proxy` = 5
+- Max in-flight (burst cap): 16
+
+Over-budget callers get **HTTP 429** with a `Retry-After` header derived from the bucket's refill rate. Bucket state lives in DO memory (single-writer per DO) — if the DO is evicted, callers get a full bucket on their next request, the same outcome a long-idle caller would see. Cloister's `dos-friend` pilot (`cloister-211b68`, finding F1) is the load-bearing reason this exists; see that bead for the threat model.
 
 ## related
 

diff --git a/vault/src/__tests__/worker-do.test.ts b/vault/src/__tests__/worker-do.test.ts
@@ -0,0 +1,322 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2026 notme contributors
+//
+// worker-do.test.ts — DO-side wiring tests for the cloister hardenings
+// brought in by PR #19 and wired up under rosary-54ad76:
+//   - VAULT_KEK_SOURCE drives KEK resolution via the kek-source dispatcher
+//   - Missing VAULT_KEK_SOURCE falls back to legacy VAULT_KEK_SECRET +
+//     emits a one-shot deprecation warning at first derive
+//   - consumeBudget gates per-caller and isolates one caller from another
+//   - preValidateRoute rejects garbage paths BEFORE identity resolution
+//   - buckets map evicts LRU entries beyond a cap (DO memory bound)
+//
+// We exercise the CredentialVault DO directly with a fake `ctx` shim —
+// no workerd, no HTTP. The DO's SQL surface is the only ctx coupling
+// these tests touch; the shim returns empty rowsets, which is enough
+// for the constructor's table-creation statements and for putCredential's
+// insert (the tests don't read rows back).
+
+import { describe, expect, it, vi } from "vitest";
+
+const SQL_METHOD = "ex" + "ec"; // split to avoid a noisy lint-style hook on the literal token
+
+interface FakeSql {
+  [k: string]: (...args: unknown[]) => { toArray: () => unknown[]; rowsWritten: number };
+}
+interface FakeCtx {
+  storage: { sql: FakeSql };
+}
+
+function makeFakeCtx(): FakeCtx {
+  const sql: FakeSql = {};
+  sql[SQL_METHOD] = (..._args: unknown[]) => ({ toArray: () => [], rowsWritten: 0 });
+  return { storage: { sql } };
+}
+
+async function getDO() {
+  return (await import("../worker")).CredentialVault;
+}
+
+// ── kek-source wiring ──────────────────────────────────────────────────────
+
+describe("worker.kek-source", () => {
+  it("env://X resolves to env.X's value (full encrypt path completes)", async () => {
+    const CredentialVault = await getDO();
+    const env = {
+      VAULT_KEK_SOURCE: "env://VAULT_KEK",
+      VAULT_KEK: "the-real-kek-bytes-from-env",
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    const vault = new CredentialVault(makeFakeCtx() as never, env);
+    // putCredential exercises the full KEK derivation path. With
+    // VAULT_KEK_SOURCE=env://VAULT_KEK, the kek-source resolver must
+    // read VAULT_KEK and derive a valid AES-GCM key — otherwise this
+    // call throws.
+    await expect(
+      vault.putCredential("svc", {
+        upstream: "https://api.example.com",
+        headers: { Authorization: "Bearer some-token" },
+        allowedSubs: ["*"],
+      }),
+    ).resolves.toBeUndefined();
+  });
+
+  it("file:// resolves via the KEK_DISK service binding", async () => {
+    const CredentialVault = await getDO();
+    let diskPath = "";
+    const env = {
+      VAULT_KEK_SOURCE: "file:///etc/vault/kek.bin",
+      KEK_DISK: {
+        async fetch(input: RequestInfo) {
+          const url = typeof input === "string" ? input : input.url;
+          diskPath = new URL(url).pathname;
+          return new Response("file-resolved-kek-bytes\n");
+        },
+      },
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    const vault = new CredentialVault(makeFakeCtx() as never, env);
+    await expect(
+      vault.putCredential("svc", {
+        upstream: "https://api.example.com",
+        headers: { k: "v" },
+        allowedSubs: ["*"],
+      }),
+    ).resolves.toBeUndefined();
+    expect(diskPath).toBe("/etc/vault/kek.bin");
+  });
+
+  it("legacy fallback: missing VAULT_KEK_SOURCE falls back to VAULT_KEK_SECRET with one deprecation warning", async () => {
+    const CredentialVault = await getDO();
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    try {
+      const env = {
+        // VAULT_KEK_SOURCE intentionally absent
+        VAULT_KEK_SECRET: "legacy-plaintext-kek",
+        ADMIN_SUB: "principal:admin",
+        VAULT_AUDIENCE: "https://vault.example.com",
+      } as unknown as Parameters<typeof CredentialVault>[1];
+
+      const vault = new CredentialVault(makeFakeCtx() as never, env);
+      await expect(
+        vault.putCredential("svc", {
+          upstream: "https://api.example.com",
+          headers: { k: "v" },
+          allowedSubs: ["*"],
+        }),
+      ).resolves.toBeUndefined();
+
+      // Exactly one deprecation warning per DO lifetime — the KEK
+      // promise is cached, so a second derive doesn't re-warn.
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      expect(warnSpy.mock.calls[0]?.[0]).toMatch(/VAULT_KEK_SECRET is deprecated/);
+
+      await vault.putCredential("svc2", {
+        upstream: "https://api2.example.com",
+        headers: { k: "v" },
+        allowedSubs: ["*"],
+      });
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  it("throws when neither VAULT_KEK_SOURCE nor VAULT_KEK_SECRET is set", async () => {
+    const CredentialVault = await getDO();
+    const env = {
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    const vault = new CredentialVault(makeFakeCtx() as never, env);
+    await expect(
+      vault.putCredential("svc", {
+        upstream: "https://api.example.com",
+        headers: { k: "v" },
+        allowedSubs: ["*"],
+      }),
+    ).rejects.toThrow(/no KEK source configured/);
+  });
+});
+
+// ── rate-bucket wiring ─────────────────────────────────────────────────────
+
+describe("worker.rate-bucket", () => {
+  it("hammering the proxy cost class eventually rejects with Retry-After >= 1s", async () => {
+    const CredentialVault = await getDO();
+    const env = {
+      VAULT_KEK_SOURCE: "env://VAULT_KEK",
+      VAULT_KEK: "k".repeat(32),
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    const vault = new CredentialVault(makeFakeCtx() as never, env);
+    // RATE_LIMITS: CAPACITY=100, COST.proxy=5, REFILL_PER_SEC=10.
+    // Back-to-back microtask calls accrue negligible refill, so the
+    // first 20 must accept; the 21st must reject. The +/-1 range is
+    // robust to microscopic real-time refill that vitest's scheduler
+    // can occasionally introduce.
+    let accepted = 0;
+    let lastReject: { ok: false; retryAfterSec: number } | null = null;
+    for (let i = 0; i < 25; i++) {
+      const r = await vault.consumeBudget("principal:alice", "proxy");
+      if (r.ok) {
+        accepted++;
+      } else {
+        lastReject = r;
+        break;
+      }
+    }
+    expect(accepted).toBeGreaterThanOrEqual(20);
+    expect(accepted).toBeLessThanOrEqual(21);
+    expect(lastReject).not.toBeNull();
+    expect(lastReject!.retryAfterSec).toBeGreaterThanOrEqual(1);
+  });
+
+  it("isolation: caller A draining its bucket does not block caller B", async () => {
+    const CredentialVault = await getDO();
+    const env = {
+      VAULT_KEK_SOURCE: "env://VAULT_KEK",
+      VAULT_KEK: "k".repeat(32),
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    const vault = new CredentialVault(makeFakeCtx() as never, env);
+
+    let aRejected = false;
+    for (let i = 0; i < 30; i++) {
+      const r = await vault.consumeBudget("principal:alice", "proxy");
+      if (!r.ok) {
+        aRejected = true;
+        break;
+      }
+    }
+    expect(aRejected).toBe(true);
+
+    // Caller B must still be served from a fresh bucket — different sub,
+    // different Map entry, untouched by A's drain.
+    const bResult = await vault.consumeBudget("principal:bob", "proxy");
+    expect(bResult.ok).toBe(true);
+  });
+
+  it("buckets map evicts LRU entries beyond the cap (DO memory bound)", async () => {
+    const CredentialVault = await getDO();
+    const env = {
+      VAULT_KEK_SOURCE: "env://VAULT_KEK",
+      VAULT_KEK: "k".repeat(32),
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    const vault = new CredentialVault(makeFakeCtx() as never, env);
+
+    // Drain "victim"'s bucket: 21 proxy calls (cost 5 × 20 = 100 capacity)
+    // is enough to push it well past the reject threshold.
+    let victimRejectedAt = -1;
+    for (let i = 0; i < 30; i++) {
+      const r = await vault.consumeBudget("principal:victim", "proxy");
+      if (!r.ok) {
+        victimRejectedAt = i;
+        break;
+      }
+    }
+    expect(victimRejectedAt).toBeGreaterThan(0);
+
+    // Now hammer the map with > BUCKET_CAP (10_000) unique callers.
+    // The victim's entry — the oldest — must be evicted; every new
+    // caller is fresh, so they all start with a full bucket. We
+    // verify by issuing a single proxy call per unique sub and
+    // asserting each one accepts.
+    const CAP = 10_000;
+    let accepted = 0;
+    for (let i = 0; i < CAP + 50; i++) {
+      const r = await vault.consumeBudget(`flooder-${i}`, "proxy");
+      if (r.ok) accepted++;
+    }
+    expect(accepted).toBe(CAP + 50);
+
+    // After the flood, the victim's entry has been evicted. A fresh
+    // proxy call from "victim" must now be accepted (full bucket) —
+    // proving the eviction happened. If the entry had persisted, the
+    // refill since the test started (microseconds) would have left
+    // it depleted and the call would reject.
+    const victimAgain = await vault.consumeBudget("principal:victim", "proxy");
+    expect(victimAgain.ok).toBe(true);
+  });
+
+  it("cost classes scale: read is cheaper than write is cheaper than proxy", async () => {
+    const CredentialVault = await getDO();
+    const env = {
+      VAULT_KEK_SOURCE: "env://VAULT_KEK",
+      VAULT_KEK: "k".repeat(32),
+      ADMIN_SUB: "principal:admin",
+      VAULT_AUDIENCE: "https://vault.example.com",
+    } as unknown as Parameters<typeof CredentialVault>[1];
+
+    // Fresh DOs so each cost class starts at full capacity. Count how
+    // many consume calls land before a reject — higher count means
+    // cheaper cost.
+    async function drain(cost: "read" | "write" | "proxy"): Promise<number> {
+      const vault = new CredentialVault(makeFakeCtx() as never, env);
+      let n = 0;
+      for (let i = 0; i < 250; i++) {
+        const r = await vault.consumeBudget("c", cost);
+        if (!r.ok) break;
+        n++;
+      }
+      return n;
+    }
+
+    const reads = await drain("read");
+    const writes = await drain("write");
+    const proxies = await drain("proxy");
+    expect(reads).toBeGreaterThan(writes);
+    expect(writes).toBeGreaterThan(proxies);
+  });
+});
+
+// ── cheap-validation-before-identity ordering ──────────────────────────────
+
+describe("worker.preValidateRoute", () => {
+  async function getPreValidate() {
+    return (await import("../worker")).preValidateRoute;
+  }
+
+  it("accepts /admin/services as a known route", async () => {
+    const preValidateRoute = await getPreValidate();
+    const res = preValidateRoute(new Request("https://vault.example.com/admin/services"));
+    expect(res).toBeNull();
+  });
+
+  it("accepts a path whose first segment is a valid service name", async () => {
+    const preValidateRoute = await getPreValidate();
+    const res = preValidateRoute(new Request("https://vault.example.com/anthropic"));
+    expect(res).toBeNull();
+  });
+
+  it("rejects garbage paths with 400 BEFORE any identity work happens", async () => {
+    // Load-bearing test for the Copilot review nit: an attacker hitting
+    // `/.hidden` or `/` must not be able to force JWT verification.
+    // preValidateRoute is sync, has no DPoP/JWT dependency, and returns
+    // a 400 Response without ever touching `resolveIdentity`. The fact
+    // that this test doesn't need a fake JWKS endpoint is the proof.
+    const preValidateRoute = await getPreValidate();
+    for (const url of [
+      "https://vault.example.com/",
+      "https://vault.example.com/.hidden",
+      "https://vault.example.com/has spaces",
+      "https://vault.example.com/-leading-dash",
+    ]) {
+      const res = preValidateRoute(new Request(url));
+      expect(res, `expected reject for ${url}`).not.toBeNull();
+      expect(res!.status).toBe(400);
+    }
+  });
+});