VaultCrux Docs

Appearance

Security Whitepaper

This page summarizes the current VaultCrux security model for technical due-diligence and procurement reviews.

Scope and posture

  • Covers the production delivery shape documented in the VaultCrux v2.1 plan.
  • Describes active controls and defaults, not aspirational roadmap items.
  • Complements (does not replace) customer contract terms and data-processing terms.

Core security model

  • Tenant isolation: request auth context is tenant-scoped and enforced on server routes.
  • Least privilege: role-scoped seat access (owner, admin, member, viewer) for team operations.
  • Defense in depth: Shield policy stack enforces capability, taint, approval, and kill-switch controls.
  • Replayable evidence: signed receipts provide audit trails for evidence-backed operations.

Encryption and secrets

  • Runtime secrets are rendered from Vault and not committed to source control.
  • Vault uses raft storage with scheduled backup and restore-test workflows.
  • Customer data is protected through tenant-boundary controls and encrypted storage paths.

Authentication and access control

  • API/agent mode: x-api-key + x-tenant-id.
  • Browser mode: HttpOnly frontdoor session cookie.
  • Team seat controls are role-gated and subject to feature flag posture.
  • Tenant mismatch checks return a hard authorization failure.

Observability and operational endpoints

  • /metrics and /build-info are restricted to tailnet allowlist or authenticated access.
  • /readyz remains public for readiness contract compatibility.
  • /healthz and /livez remain part of the core operational interface.

Auditability and traceability

  • Build metadata includes service version and deploy commit SHA when deployed via standard infra scripts.
  • Receipts and proofpack surfaces support replay, verification, and incident review.
  • Access/session activity is logged for operational forensics and support workflows.

Vulnerability and incident handling

  • Security incidents follow runbook-driven triage, containment, and remediation.
  • Flag-controlled rollout supports fast mitigation and rollback when needed.
  • Security reports should include impact, affected flow, and reproducible steps.

Copyright 2026 CueCrux