RepVault

Problem Statement

RepVault (jpatel98/RepVault) was designed to protect high-value credentials and reputation artifacts while allowing controlled recovery, sharing, and revocation without collapsing to a monolithic secrets manager.

Core Architecture

• Envelope encryption service
  • Data encrypted with per-record data keys.
  • Data keys wrapped by a master key layer.
• Secret envelope metadata
  • Versioned records with checksum + owner + scope tags.
• Policy engine
  • Rules define who can read/write, rotate, or revoke each asset.
• Audit-first storage design
  • Immutable append-only events for every sensitive action.

Technical Decisions

• Revocation model
  • Token/session level revocation so one compromised credential does not invalidate unrelated assets.
• Rotation jobs
  • Scheduled key rotation with automatic re-encryption windowing.
• Access checkpoints
  • Read operations require policy + context checks, then short-lived access grants.

Practical Outcomes

• Reduced blast radius through scoped capabilities.
• Deterministic replay from audit events.
• Faster incident response with explicit revoke + propagation workflow.

Code

• Source: https://github.com/jpatel98/RepVault
• Companion deployment notes: https://github.com/jpatel98/openclaw-codex-demo-1774326012