Enterprise Edge
Local Vault
Local Vault is an outbound-only customer edge component for connector secret storage, source attestation signing, offline spooling, event relay, and optional customer-side witness operation. It is not HashiCorp Vault.
Responsibilities
- Encrypt connector credentials locally.
- Sign source attestations before relay.
- Spool events during network outages.
- Replay spooled events in order with idempotency.
- Operate as a customer-side witness when the tenant policy enables it.
Outbound relay flow
- The customer source creates an attestation event.
- Local Vault signs and stores the event in the encrypted spool.
- Local Vault relays the event to
https://verify.attesto.eu. - Attesto returns the Proofstream receipt.
- Local Vault records receipt state and keeps retry metadata until delivery is complete.
{
"source_ref": "local-source-2026-0001",
"event_type": "source.attestation",
"payload_hash": "sha256-hex",
"local_signature": {
"alg": "Ed25519",
"kid": "local-vault-key-epoch",
"signature": "hex-encoded-signature"
}
}Encrypted spool
The spool preserves events during network outages. Replay is ordered and idempotent: the same source reference and body can be retried, but changed content for the same source reference is rejected.
| State | Meaning |
|---|---|
queued | Stored locally and waiting for relay. |
relaying | Outbound request is in progress. |
receipted | Attesto returned a Proofstream receipt. |
conflict | Source reference replayed with different canonical content. |
Security model
- No inbound internet route is required for relay mode.
- Connector credentials remain encrypted at the customer edge.
- Relay endpoints reject replay conflicts and tampered envelopes.
- Revocation fails closed: a revoked installation cannot keep relaying accepted events.
Customer witness mode
When enabled, Local Vault can sign monotonic checkpoints for its tenant streams. A 2-of-3 policy can combine Attesto-operated, customer-operated, and assurance witness statements so no single service is treated as the only source of history.
In witness mode, Local Vault signs checkpoint statements only when they extend the last accepted checkpoint for the tenant stream. A conflict creates fork visibility for the customer side.
Offline and online modes
- Online relay: events are signed, spooled, relayed, and receipted quickly.
- Temporary offline relay: events remain encrypted in the local spool until outbound network returns.
- Witness online: checkpoint statements are verified and signed according to policy.
- Witness unavailable: quorum may be delayed; receipts remain independent from witness availability.