Vault Connector coming soon
Configure a vault endpoint so ModelReins never stores your secrets — only
references (vault://slack/webhook-url) that get resolved at
dispatch time. Workers declare requires_secrets in their
capabilities; the Matriarch reads them from your vault on demand; nothing
sensitive ever lives in the ModelReins DB.
Supported backends (in priority order)
Tier 1
Vaultwarden / Bitwarden
Self-hosted, open-source, aligned. The preferred path.
You run the vault; ModelReins never touches raw credentials. API-token
authentication, per-item ACL, full audit trail on your side.
Tier 2
HashiCorp Vault
Fleet-grade secrets substrate — dynamic credentials, TTL-bound leases,
policy-scoped tokens. Good match if your infra already runs Vault for
non-ModelReins secrets.
Tier 3
Keeper · 1Password · LastPass
Enterprise-vault compatibility layer. Lets teams onboard ModelReins
without migrating off an existing password manager. Migration path
to a Tier-1 backend when you're ready.
Tier 4
Environment variables on disk
Fallback only. No rotation, no audit, no ACL. Keeps self-hosted users
unblocked but is actively discouraged in the UI.
Not built yet. This page captures interest so we can tell
which backend to ship first. Clicking a tier below logs an audit entry
against your tenant (no PII, no credential data — just the tier name and a
timestamp) so we have something to prioritize against.