gRPC API Reference
The Secrets Agent exposes a gRPC service over Unix domain socket for the AI Core to manage secrets.
Service Definition
service SecretsService {
rpc Health(Empty) returns (HealthResponse);
rpc StoreSecret(StoreSecretRequest) returns (StoreSecretResponse);
rpc RequestSecretAccess(AccessRequest) returns (stream AccessResponse);
rpc RequestUserSecret(UserSecretRequest) returns (stream AccessResponse);
rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse);
rpc DeleteSecret(DeleteSecretRequest) returns (DeleteSecretResponse);
rpc GetAuditLog(AuditLogRequest) returns (stream AuditLogEntry);
}Transport
| Property | Value |
|---|---|
| Socket path | /run/ultrasushitron/secrets-agent.sock |
| Protocol | gRPC over Unix domain socket |
| Serialization | Protocol Buffers (proto3) |
Methods
Health()
Check if the secrets agent is running and healthy.
message HealthResponse {
bool healthy = 1;
string version = 2;
uint64 uptime_seconds = 3;
}StoreSecret(StoreSecretRequest)
Store a new secret in the encrypted vault.
message StoreSecretRequest {
string name = 1;
string value = 2; // Plaintext β encrypted at rest
SecretType secret_type = 3;
map<string, string> metadata = 4;
}message StoreSecretResponse {
string secret_id = 1;
bool success = 2;
string error = 3;
}RequestSecretAccess(AccessRequest)
Request access to a stored secret. Returns a server-side stream that progresses through: Pending β Token (approved) or Denied.
message AccessRequest {
string secret_name = 1;
string tool_name = 2; // Which tool needs the secret
string reason = 3; // Context shown to the user
AccessDuration duration = 4;
}message AccessResponse {
AccessStatus status = 1; // PENDING, APPROVED, DENIED, EXPIRED
string token = 2; // One-time access token (on APPROVED)
string error = 3;
}Timeout: If the user does not respond within 5 minutes, the request is automatically denied.
Approval cascade:
- Send approval request via local WebSocket to the mobile app
- If local WebSocket unavailable, try relay server
- If no response path available, deny the request
RequestUserSecret(UserSecretRequest)
Request a secret that the user must provide on-the-fly (not stored in the vault). Used for one-time credentials.
message UserSecretRequest {
string prompt = 1; // What to ask the user
string tool_name = 2;
string reason = 3;
}ListSecrets(ListSecretsRequest)
List all secrets in the vault (metadata only, not values).
message ListSecretsResponse {
repeated SecretMetadata secrets = 1;
}
message SecretMetadata {
string id = 1;
string name = 2;
SecretType secret_type = 3;
int64 created_at = 4;
int64 last_accessed = 5;
}DeleteSecret(DeleteSecretRequest)
Permanently delete a secret from the vault.
message DeleteSecretRequest {
string secret_id = 1;
}
message DeleteSecretResponse {
bool success = 1;
string error = 2;
}GetAuditLog(AuditLogRequest)
Stream the hash-chained, Ed25519-signed audit log. Each entry includes the SHA-256 hash of the previous entry for tamper detection.
message AuditLogEntry {
string entry_id = 1;
string action = 2; // STORE, ACCESS, APPROVE, DENY, DELETE
string secret_name = 3;
string actor = 4; // Who performed the action
int64 timestamp = 5;
string previous_hash = 6; // SHA-256 chain
bytes signature = 7; // Ed25519 signature
}Enums
SecretType
| Value | Description |
|---|---|
PASSWORD | Login credentials |
API_KEY | API keys and tokens |
SSH_KEY | SSH private keys |
CREDIT_CARD | Payment information |
PERSONAL_INFO | PII (names, addresses, etc.) |
NOTE | Freeform secure notes |
AccessDuration
| Value | Description |
|---|---|
ONE_TIME | Single use, then revoked |
FIVE_MINUTES | 5-minute access window |
ONE_HOUR | 1-hour access window |
ONE_DAY | 24-hour access window |
ONE_WEEK | 7-day access window |
ONE_MONTH | 30-day access window |
ONE_YEAR | 365-day access window |
Error Handling
gRPC status codes are used for transport errors. Application-level errors are returned in the error field of response messages:
NOT_FOUNDβ secret does not existALREADY_EXISTSβ secret name already takenPERMISSION_DENIEDβ access denied by user or timeoutINTERNALβ vault encryption/decryption error