Summary
Restructure the vault and connection model so that there is one default Vault (currently per-identity) and connections inside it are named and scoped per identity. The server maintains a registry mapping connections to the identity that owns them.
Current Model
- Each identity gets its own Vault (resolved via
PrincipalVaultBindingRegistry).
- Credential store keys are namespaced as
vault:<vault_id>:<provider>:connection:<name>.
- Two identities cannot share a Vault or see each other's connections.
Proposed Model
- There is one default Vault (e.g. the Vault bound to the root Principal or the first identity at
init time).
- Connections inside the Vault are named and tagged by identity: e.g.
vault:<vault_id>:<provider>:connection:<identity_handle>/<name> or a separate connection registry keyed by (provider, connection_name, identity_handle).
- The server maintains a ConnectionRegistry that records which identity owns (or last wrote) each connection — enabling future access control, auditing, and sharing without changing the encrypted blob layout.
AuthService is constructed with the shared vault_id but resolves connections scoped to the requesting identity_handle.
Why This Matters
This is the foundational step toward a shared-vault model (see #363) without introducing full multi-tenancy up front. A single Vault is simpler to back up, rotate keys on, and eventually sync to a hosted service (see #361). Named per-identity connections preserve isolation today while leaving the door open for explicit sharing later.
Work Items
Key Invariant
A connection is owned by exactly one identity. The Vault is shared; the connections inside it are not — unless explicitly granted (future work).
Summary
Restructure the vault and connection model so that there is one default Vault (currently per-identity) and connections inside it are named and scoped per identity. The server maintains a registry mapping connections to the identity that owns them.
Current Model
PrincipalVaultBindingRegistry).vault:<vault_id>:<provider>:connection:<name>.Proposed Model
inittime).vault:<vault_id>:<provider>:connection:<identity_handle>/<name>or a separate connection registry keyed by(provider, connection_name, identity_handle).AuthServiceis constructed with the sharedvault_idbut resolves connections scoped to the requestingidentity_handle.Why This Matters
This is the foundational step toward a shared-vault model (see #363) without introducing full multi-tenancy up front. A single Vault is simpler to back up, rotate keys on, and eventually sync to a hosted service (see #361). Named per-identity connections preserve isolation today while leaving the door open for explicit sharing later.
Work Items
ConnectionRegistry— a server-side registry mapping(vault_id, provider, connection_name)" →identity_handle` + metadata (created_at, last_refreshed)AuthServiceto scope connection reads/writes to the calling identityPrincipalVaultBindingRegistryso a single defaultvault_idis resolved atinittime and reused by all future identities on the same machineauthsome connections listto show connection ownerKey Invariant