Every control on this page has a name you can look up and code you can read. No bank-grade, no military-grade — schemes, scopes, and blast radii.
Each secret is sealed with its own AES-GCM-256 data-encryption key. That DEK is wrapped by a workspace key derived via HKDF from a master key that never leaves Secrets Store. Compromising one ciphertext yields one ciphertext; compromising a workspace stops at the workspace boundary. Rotation is a re-wrap, not a re-encrypt of the world.
| component | an attacker gets | why it stops there |
|---|---|---|
| delivery worker (cdn) | resolved configs and flags, zero secrets | holds no key material — cannot decrypt by construction |
| edge KV | the same resolved values, secret ciphertext | DEKs are never written to KV |
| api worker | microseconds of in-flight plaintext | plaintext is never persisted and never logged |
| workspace DO | ciphertext plus revision history | DEKs stored wrapped; KEK derived on demand, never stored |
| Neon metadata | Argon2id password hashes, API-key hashes | no secret material lives in Postgres |
This table is the threat model. If you can break a row, security@edgevault.io wants the details.
Argon2id, memory-hard. No homegrown crypto; @noble/hashes does the lifting.
Opaque server-side tokens. Instantly revocable; nothing decodable in the client.
EdDSA JWTs verified against published JWKS. Workers verify without ever holding signing keys.
TOTP and passkeys (WebAuthn). Phishing-resistant where the client supports it.
The console is the only origin a browser ever sees. It reaches the API, auth, and billing over service bindings inside Cloudflare's network — no CORS surface, no cross-site cookies, no tokens in localStorage. The delivery plane is a separate worker with environment-scoped keys and no code path to decryption.
Writes append to the workspace's ordered revision history, fan out to an audit queue, and land as NDJSON in R2 — an append-only warehouse you can export. The same trail powers "what changed and why" in the console.
// audit/2026/06/05.ndjson — append-only, R2 {"ts":"2026-06-05T09:41:22Z","actor":"blake@","action":"flag.update","key":"checkout-v2","rev":89,"why":"canary: EU first"} {"ts":"2026-06-05T08:12:04Z","actor":"ci@","action":"secret.rotate","key":"STRIPE_KEY","rev":87,"why":"90-day policy"} {"ts":"2026-06-04T17:30:11Z","actor":"sam@","action":"promotion.apply","from":"staging","to":"production","risk":"low","approvals":2}
The core is MIT-licensed. The envelope-encryption implementation is a readable package, not a black box, and CI fails any build that adds telemetry to core. Found a hole? security@edgevault.io — fixes get attributed.