Skip to content

HarperZ9/kun

Repository files navigation

Vault (Kun) - Project Telos Private-Line Access Vault

Kun private access vault visual identity with path-only recovery boundary

Vault is the Project Telos private-line access recovery surface. It is currently housed in the Kun repository. Its public value is the operating pattern, not the credential material: path-only receipts, manual diagnostics, rotation discipline, operator-only publication bounds, and a clear separation between developer-facing documentation and live recovery material.

This repository's public-safe surface is intentionally value-free. Treat Vault as internal infrastructure for recovering and validating operator access, while repository-facing summaries describe architecture, verification checks, and boundaries without copying live endpoints, credential paths, passphrases, key material, or private access values.

GitHub description: Vault: Project Telos access-recovery vault with path-only receipts and operator-owned credential boundaries.

Why it matters

Vault gives the private line a controlled recovery substrate. The useful shape is not "a repository with secrets"; it is a narrow operating contract:

  • recovery material stays in a private vault;
  • operator documentation points to runbooks instead of inlining live values;
  • diagnostics are manual-only and read-only by default;
  • rotation scratch material stays ignored until deliberately promoted;
  • receipts expose verdicts and path references without raw credential values.

This is the access-side complement to Ledger, Lab, Runtime, and Boundary. Ledger (Sofer) orchestrates work, Lab supplies native capability, Runtime packages local runtime state, Boundary calibrates IO, and Vault preserves the recovery channel without widening the model boundary.

Usage

Run read-only checks from the repository root.

python scripts/kun_doctor.py status --json
python scripts/kun_doctor.py doctor --json
python scripts/kun_doctor.py demo --json
python -m pytest tests/test_kun_doctor.py -q

For setup, verification, and boundary details, see USAGE.md. For operator recovery, use the dedicated private runbooks already in this repository; do not copy their live values into README, changelog, issues, public forums, or model-facing summaries.

For developers

Vault changes should be local-first and receipt-backed. The safe development loop is:

python -m pytest tests/test_kun_doctor.py tests/test_kun_forward_delivery.py -q
python -m public_surface_sweeper . --workspace --json
python scripts/kun_doctor.py doctor --json

Do not expand live access behavior in documentation-only changes. Do not push this repository while it remains a private access vault unless the operator has explicitly finalized the rotation/publication decision.

Flagship Contract

Surface Status
CLI JSON python scripts/kun_doctor.py status|doctor|demo --json
Runtime posture read-only local checks; no live auth touched
Diagnostic posture manual workflow only; no push or pull-request trigger
Privacy boundary hosts receive check ids, verdicts, and path references only
Recovery boundary private runbooks stay operator-only; README stays value-free
Integration Aleph private-line doctor executes kun.doctor as a native check
Companion tools Ledger, Lab, Runtime, and Boundary consume Vault as a bounded private-line access substrate

Repository Map

Path Purpose
scripts/kun_doctor.py JSON status, doctor, and demo envelopes
tests/ Receipt and forward-delivery regression tests
USAGE.md Developer install, run, verify, and boundary guide
AGENTS.md Operator and agent working rules
docs/PRIVATE_LINE.md Private-line component contract
ZERO-TO-ACCESS.md Operator recovery runbook; keep private
PORTAL.md Operator portal runbook; keep private
access/README.md Sanitized local-vault boundary; live access/ssh/ and access/tor/ material stays untracked

Current Status

  • Visibility: public repository for value-free docs and receipts; private live material remains local/operator-only and ignored.
  • Runtime posture: read-only local doctor and manual diagnostics.
  • Publication posture: publishable only when tracked access material is limited to sanitized boundary docs.
  • Delivery posture: root README, usage docs, changelog, authorship, contribution guidance, license marker, and visual identity are present.

About

Vault: Project Telos access-recovery vault with path-only receipts and operator-owned credential boundaries.

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages