Memory · Vault
Secrets your agent can use, but not leak.
The Knowledge Vault is per-namespace AES-256-GCM storage for credentials, API tokens, signing keys, and any data classified as sensitive. Zeroize on drop. Key rotation built-in. No plaintext in logs.
Capabilities
What it does.
Every capability is production-grade. No flags, no betas — these ship the day you adopt Minds.
AES-256-GCM
Authenticated encryption with per-namespace keys via HKDF-SHA256.
Four sensitivity tiers
Public · internal · confidential · critical. RBAC enforced per tier.
Key rotation
Rotate root keys without re-encrypting every blob. Per-blob KEK.
Zeroize on drop
Decrypted material is wiped from memory on the `Drop` path.
No plaintext logs
Tracing redacts vault material. Never appears in stdout or audit logs.
Capability tokens
Vault reads require an explicit capability — no ambient access.
API
A few lines is all it takes.
The SDK reflects the conceptual model directly. No glue code, no orchestrator, no learning curve beyond the data shape.
exampletypescript
// Write a credential. Tier it.
await minds.memory.vault.put({
key: "stripe.api_key",
value: process.env.STRIPE_KEY,
sensitivity: "critical",
ttl: "90d",
});
// Read it from within a capability-scoped procedure.
const key = await minds.memory.vault.get("stripe.api_key", { capability: token });Specs
What it costs, what it guarantees.
Performance
- Cipher
- AES-256-GCM (libsodium)
- KDF
- HKDF-SHA256
- Per-blob KEK
- yes — supports key rotation
- Audit
- every read + write hash-chained
- Sensitivity tiers
- public · internal · confidential · critical
Guarantees
- Durability
- fsync per WAL commit
- Isolation
- MVCC · snapshot
- Audit
- BLAKE3 Merkle chain
- Encryption
- AES-256-GCM per-namespace
- Concurrency
- 100K+ ops/sec
Build it on Minds.
Start with the SDK. Ship in an afternoon. Run anywhere — Akasha Cloud, on-prem, or air-gapped.