Contents

Executive Summary
The Problem: AI Agents & the God Key
Market Landscape
The Davy.Locker Solution
Architecture: The Bank Model (Component Map, Armored Truck, Lockdown, Daily Operations)
The Credential Security Runtime
The Least-Context Principle
The Kraken: AI-Powered Security Officer
Auto-Rotation & Lockdown Protocol
Product Tiers: Credit Union vs. Mission Control
Feature Comparison
Security & Cryptography
Compliance & Liability
Roadmap
Competitive Position

01 — Executive Summary

Davy.Locker is a credential security runtime for AI agents. It encrypts credentials locally, proxies them to AI agents without ever exposing raw secrets, monitors every access through a real-time audit log, and auto-rotates keys when threats are detected.

Developers install it for free and self-host it anywhere—laptop, server, or cloud instance. The paid tier adds centralized mission control, team sharing, and The Kraken: an AI-powered security officer that watches over your entire agent fleet.

Core insight: AI agents don't need to see your API keys. They just need to use them. Davy.Locker makes that distinction real.

85%

of agent deployments run without full security approval

93%

of agent projects use plaintext API keys in .env files

28%

YoY increase in API key exposure in logs & config

02 — The Problem: AI Agents & the God Key

The AI agent ecosystem is exploding. Gartner projects that 40% of enterprise applications will embed task-specific AI agents by end of 2026, up from less than 5% in 2025. These agents need credentials—API keys, database passwords, OAuth tokens—to do their jobs.

Today, the default approach is terrifying:

Paste the API key into an environment variable and hope nothing leaks it
Give the agent full access—there's no mechanism for scoped, temporary permissions
Zero audit trail—no record of which agent used which credential, when, or why
No rotation—keys sit unchanged for months or years because rotation is painful
No revocation—if an agent is compromised, there's no kill switch

The God Key Problem

When you give an AI agent an API key via .env, you're giving it the God Key—unrestricted, unmonitored, irrevocable access. The agent can read it, log it, send it to any endpoint, and you'll never know. This is the security equivalent of giving your house key to a stranger and hoping they only open the front door.

The Five Critical Gaps

Gap	Current Reality	Risk
God Key Access	Agents get full credential values in memory	Prompt injection can exfiltrate secrets
Response Data Leakage	Agents see everything an API returns	SSNs, bank data, PII exposed to LLM context
MCP Credential Sprawl	MCP servers store tokens in plaintext config	Shared access, no least-privilege, no governance
Zero Audit Trail	No logging of credential usage by agents	Impossible to detect breaches or misuse
Painful Rotation	Manual key rotation across every config/server	Keys never rotated; stale credentials everywhere

03 — Market Landscape

The AI agent security market is nascent but rapidly forming. Analysts project the agentic AI economy at $2.6–4.4 trillion, and security is the critical infrastructure layer beneath all of it.

Existing Players

Player	Focus	Gap
1Password	Enterprise unified access (launched March 2026)	Enterprise sales cycles; no developer self-serve
CyberArk	Enterprise identity security	$500K+ contracts; no agent-native model
Aembit	Non-human identity management	Enterprise-focused; not framework-agnostic
HashiCorp Vault	Infrastructure secrets management	Complex ops overhead; no AI agent awareness
Arcade AI	OAuth flows for agent integrations	Auth only; no vault, no audit, no lenses

Market Gap

Every existing solution is either enterprise-first (6-month sales cycles), platform-locked (only works with their framework), or partial (handles auth but not audit, or tokens but not injection). Nobody offers an npm-installable, self-hosted, framework-agnostic credential security runtime that a developer can adopt in an afternoon.

04 — The Davy.Locker Solution

Davy.Locker is a credential security runtime—not a password manager. The difference is fundamental:

Password Manager	Credential Security Runtime
Stores secrets	Stores, scopes, escorts, monitors, rotates, and revokes secrets
You copy-paste keys where needed	Proxy injects credentials at request time—agents never see raw values
Binary access: yes or no	Layered access: USE_ONLY, READ, BLOCKED, with field-level response filtering
Static storage	Active monitoring, anomaly detection, auto-rotation

The Nine Pillars

Agent Security

USE_ONLY proxy, scoped grants, session-based permissions, risk tiers, smart policies

Response Lenses

Field-level redaction per service. Agents see invoices, not bank accounts.

Encrypted Vault

AES-256-GCM + Argon2id. API keys, logins, notes, files. Zero-knowledge.

Password Manager

Browser extension, autofill, import from 1Password/Dashlane/Bitwarden

Team Sharing

Encrypted transfers, per-credential permissions, revocable shared access

Security Scanner

Find exposed secrets in Drive, .env files, configs. One-click pull to vault.

2FA Code Relay

Auto-detect email 2FA codes, relay to authorized users and agents

AI Context Vault

Portable encrypted context. Your AI brain travels with you, zero footprint on exit.

DB Encryption SDK

Field-level database encryption. Encrypt SSN/credit card columns, leave name/email queryable.

05 — Architecture: The Bank Model

To understand Davy.Locker, think of it as a bank—not metaphorically, but structurally. Every component in the system maps directly to how a physical bank secures, transports, and monitors access to valuables. This model governs the architecture, the product tiers, and the security protocols.

The Building: Component Map

Bank Concept	Davy.Locker Component	Function
The vault in the basement	Encrypted credential store	AES-256-GCM encrypted storage at rest. Credentials locked behind a master password derived via Argon2id. Without the key, the vault is indistinguishable from random noise.
Safe deposit boxes	Folders & credential types	Credentials organized by project, client, or purpose. Each agent is only assigned access to specific boxes—never the whole vault.
The teller window	USE_ONLY proxy	Agents walk up to the window and request what they need. The teller retrieves it from the vault and handles the transaction on the agent's behalf. The agent never goes behind the counter.
Account permissions	Grant scopes (USE_ONLY / READ / BLOCKED)	Like bank account tiers: some customers can view their balance, some can make withdrawals, some are restricted. Each agent gets exactly the access level they need.
Security cameras	Audit log	Every transaction recorded: who accessed what, when, from where, and what they did with it. Immutable, timestamped, searchable.
Security guards	The Kraken (AI security officer)	Patrolling the floor, watching the cameras, looking for anything unusual. Knows the normal patterns and flags deviations in real-time.
Bank ID check	Agent authentication & sessions	Every agent must present credentials before accessing the teller. Session tokens verify identity and expire automatically.
Armored truck	Proxy injection pipeline	Credentials are loaded into a secure transport, driven to the destination, used, and the truck returns empty. Nothing left behind.
"View balance, not withdraw"	Response lenses	An agent can see invoices but not bank account numbers. Lenses control what's visible in every API response—field by field.
Changing the vault combination	Auto-rotation	The vault keys don't stay the same for months. They're rotated on schedule—weekly, monthly, or instantly when a threat is detected.
Panic button / bank lockdown	Emergency rotation & quarantine	When a robbery is detected, windows slam shut, vault re-keyed, suspect locked out, and everything that wasn't compromised keeps operating with new keys.

The Armored Truck: Escorted Credential Delivery

This is the core of what makes Davy.Locker different from a password manager. Credentials aren't handed to agents—they're escorted. Like an armored truck service, the credential is loaded into a secure transport, driven to the destination, used under supervision, and then destroyed on the return trip. The agent never holds the credential in memory.

Step	Armored Truck	Davy.Locker
1. Request	Customer requests a cash delivery	Agent requests to call an API (e.g., Stripe)
2. Verification	Bank verifies the customer's identity and authorization	Grant check—is this agent authorized for this credential at this scope?
3. Loading	Cash loaded into armored truck from vault	Proxy retrieves credential from encrypted vault, injects into HTTP headers
4. Transport	Armed guards escort the delivery	TLS-encrypted request with auth header injected—agent never touches raw value
5. Delivery	Cash handed directly to recipient, signed for	API receives authenticated request, processes it, returns response
6. Filtering	Recipient only gets what they ordered	Response lens filters sensitive fields before agent sees the data
7. Logging	Delivery manifest signed and filed	Audit log: timestamp, agent ID, credential used, endpoint, result
8. Return	Truck returns empty, documents shredded	Credential never persisted in agent memory—session ends, trace destroyed

The full escort lifecycle: Agent → "I need to call Stripe API" | Grant Check → Is this agent authorized? What scope? | Vault → Credential retrieved from encrypted store | Armored Truck → Auth header injected into outbound request | Agent never touches the raw key | Stripe API → Receives authenticated request, returns response | Response Lens → Filters sensitive fields (SSNs, bank data, PII) | Audit Log → Full transaction record filed | Truck returns empty → Credential never persisted in agent memory

The Lockdown: Bank Robbery Response

When something goes wrong—an agent starts behaving erratically, an unusual volume of requests hits a credential, or an unauthorized access attempt is detected—the bank goes into lockdown. The Kraken initiates the emergency protocol:

Lockdown Sequence

1. SLAM THE WINDOWS Revoke the compromised agent's grant immediately. No more transactions. Session terminated. 2. RE-KEY THE VAULT Auto-rotate the affected credential via the provider's API. Old key invalidated. New key generated and stored in vault. 3. QUARANTINE THE SUSPECT Flag the agent. Block its session token. Full forensic log preserved for review. 4. UPDATE THE INNOCENTS Every other agent using that credential continues operating. Proxy automatically injects the new key on their next request. Zero downtime. Zero manual reconfiguration. 5. FILE THE REPORT Full incident timeline: what happened, when, which agent, what was accessed, what was blocked, what was rotated. User reviews over coffee. Nothing was compromised.

Changing the Vault Combination

A real bank doesn't keep the same vault combination for months. The combination changes regularly—and if there's any hint of a breach, it changes immediately. Davy.Locker works the same way.

Because the proxy is the single injection point for all credentials, rotating a key requires zero changes anywhere else. No config files to update, no servers to redeploy, no agents to reconfigure. The vault combination changes, and every authorized agent automatically gets the new key on their next request.

Before rotation: Agent → Proxy → injects Key ABC123 → Stripe API Vault combination changed: Agent → Proxy → injects Key XYZ789 → Stripe API Agent unchanged. Config unchanged. Zero downtime.

Your Branch vs. Headquarters: The Business Model

The bank model extends naturally to the product tiers. The distinction isn't between a worse bank and a better bank—it's between running your own branch and having access to the full banking network with a headquarters watching over it.

Your Own Branch (Free Tier)

You build your own bank on your own property. You hire the tellers, install the vault, mount the security cameras, and set the rules. It's fully operational—same vault, same locks, same armored trucks as any bank in the world. The only difference: you're a single branch. You see what happens inside your four walls, and you manage it yourself.

The vault: Full bank-grade encryption (AES-256-GCM, Argon2id)—identical to what the largest banks use
The teller: Complete USE_ONLY proxy—agents get served without ever going behind the counter
The cameras: Full audit log on this branch—every transaction recorded and searchable
The safe deposit boxes: Unlimited credentials, unlimited agents, all four types (API keys, logins, secure notes, files)
The property: Runs on your infrastructure—laptop, VPS, AWS, Docker, Kubernetes—wherever your agents live
The overhead: No account required. No cloud dependency. No monthly fee. You own it.

This is a real, fully operational bank. Not a demo, not a trial, not a limited version. Your credentials are as secure here as they would be in any configuration.

The Banking Network & Headquarters (Paid Tier — Mission Control)

Your operation grows. You've got branches in multiple locations—credentials on your dev laptop, a staging server, two production servers, and your co-founder's machine. Each branch runs its own vault, its own proxy, its own audit log. But now you need something no single branch can provide: a headquarters that sees everything.

Central command: One dashboard connecting every branch. See all vaults, all grants, all agents—everywhere—from one screen
The Kraken at HQ: AI security monitoring doesn't just watch one branch—it correlates patterns across all branches. An anomaly at Branch A + an unusual request at Branch B might mean nothing alone, but together they tell a story
Cross-branch management: Rotate a credential once at HQ, every branch gets the new key instantly
Staffing (team access): Invite team members, assign roles, share vaults with per-person permissions. Your co-founder gets access to the deploy keys; the intern doesn't
Auto-rotation: Scheduled key changes across all branches simultaneously. Kraken-triggered emergency rotation that locks down every branch in seconds
The alert system: Suspicious activity at any branch triggers Slack, email, or webhook notifications to the right people immediately
Compliance & reporting: Consolidated audit trail across the entire network. One-click export for compliance evidence

The Natural Upgrade

Nobody starts with a headquarters. You start with one branch because it's simple and it works. Then your operation grows—agents across multiple servers, credentials flowing through different environments, team members who need access. You don't upgrade because the branch was bad—you upgrade because you need a headquarters. The security is already bank-grade. The upgrade is about visibility, coordination, and control at scale.

Daily Operations: A Day at the Bank

To understand how Davy.Locker works in practice, walk through a full day at the bank—from the moment the doors open to close of business and beyond.

Opening: The Developer Unlocks the Vault

The bank doesn't operate 24/7 without supervision. When the developer starts their session, they unlock the vault with their master password. This derives the encryption key via Argon2id and loads the vault into memory. The bank is now open for business. Tellers are at their windows. Cameras are rolling.

The Regular Customer: A Trusted Agent

A trusted agent—say, a deployment bot—walks through the front door. It's been here before.

ID check at the door. The agent presents its session token. The bank verifies: yes, this is deploy-bot, authenticated and recognized.
Walks up to the teller. "I need to deploy to Vercel." The teller checks the ledger: deploy-bot has a persistent USE_ONLY grant for the Vercel token. Risk tier: medium. It was approved last week and set to persist.
The teller retrieves the credential. Goes to the vault, pulls the Vercel token from Safe Deposit Box "Deploy Keys." The agent waits at the window—it never goes behind the counter, never sees the vault.
Armored truck dispatched. The teller doesn't hand the key to the agent. Instead, the proxy loads the credential into the outbound HTTP request—injecting the Authorization: Bearer header directly. The agent's request goes to Vercel fully authenticated.
Delivery confirmed. Vercel processes the deployment and returns a response. The response passes through the lens—in this case, a "Deploy Only" lens that shows deployment status but filters out team billing data and admin settings.
Transaction logged. The security camera captures: "10:23 AM — deploy-bot — USE_ONLY — Vercel token — POST /v1/deployments — 200 OK."
Agent leaves. The credential was never in its hands. The truck returned empty. The lobby is clear.

The New Customer: A First-Time Agent

A new agent shows up—one that's never accessed this credential before. This is a code analysis agent that wants to query the GitHub API.

ID check at the door. The agent authenticates with a fresh session token. The bank recognizes the agent identity but sees no existing grant for any GitHub credentials.
The teller escalates. This requires approval. A notification goes to the developer: "research-agent wants to use your GitHub token (USE_ONLY, session-scoped)."
The developer approves. One tap: [Allow This Session]. A session-scoped grant is created—it will auto-expire when the agent's session ends.
The system learns. After the session, the bank asks: "Always allow research-agent to access GitHub (read-only)?" If the developer says yes, next time it's automatic. Just like how your phone stops asking about Bluetooth after the third time.

The VIP Transaction: A High-Risk Credential

An agent needs to process a payment through Stripe. This credential is tagged Critical risk tier.

The teller sees the red flag. Critical-tier credentials always require explicit approval, regardless of any previous grants. No auto-approve. No "remember this." Every single time.
Full verification. The developer gets a detailed prompt: "payment-agent wants to use your Stripe secret key (USE_ONLY). This is a CRITICAL credential. Approve for this request only?"
The developer reviews and approves. The transaction proceeds through the armored truck model. The response lens filters the Stripe response to show transaction confirmation but redact full card numbers and bank account details.
Double-logged. Critical transactions get enhanced audit entries: full request/response metadata, the specific approval timestamp, and the developer who approved it.

The Restricted Customer: A Blocked Agent

An agent requests access to the AWS root credential. Its grant is set to BLOCKED.

The teller says no. Immediately. No escalation, no notification, no negotiation. The agent receives an access-denied response.
Still logged. The attempt is recorded: "11:47 AM — analytics-bot — BLOCKED — AWS root — Access denied." Even denied transactions are on camera.
Pattern watched. If the same agent repeatedly hits BLOCKED credentials, the Kraken flags it: "analytics-bot has attempted to access 3 restricted credentials in the last hour. Investigate?"

After Hours: The Kraken's Patrol

The bank closes for the night (the developer locks the vault or the session ends). But the Kraken doesn't sleep. On the paid tier, it continues monitoring:

Reviewing the day's tapes. Scanning the full audit log for patterns: unusual access times, request volume anomalies, credential access outside established baselines.
Checking the safe deposit boxes. Are any credentials approaching rotation age? Has any API key been unchanged for 90+ days? Are there grants that haven't been used in months?
Cross-branch analysis. If you're on Mission Control, the Kraken correlates patterns across all your branches. A spike at one location plus an unusual request at another might be coincidence—or it might be a coordinated probe.
Morning briefing. When the developer opens up the next day, the Kraken has a summary ready: "All clear. 3 credentials due for rotation. 1 grant unused for 60 days—consider revoking. Security score: A-."

The Key Principle

Agents come and go as they please, as long as they're law-abiding citizens following the processes. The bank runs smoothly—tellers serve, trucks deliver, cameras record. But the moment something steps out of line—someone tries to access a credential they shouldn't, an agent makes 800 requests when it normally makes 30, or someone tries to rob the bank—the security team is already there. The Kraken doesn't wait for a report. It's watching in real time.

06 — The Credential Security Runtime

Permission Model

Permission	What the Agent Can Do	Use Case
`USE_ONLY`	Make API calls through proxy; never sees raw credential	Default for all agents—deploy, query, send
`READ`	Can read the credential value directly	When agent needs to write config files
`BLOCKED`	No access whatsoever	Payment keys, critical infrastructure

Grant Scopes

Scope	Duration	Use Case
`session`	Auto-revokes when agent session ends	One-off tasks
`timed`	Expires after N minutes	Time-boxed operations
`persistent`	Stays until manually revoked	Trusted, recurring workflows

Risk Tiers

Every credential is assigned a risk tier—either automatically from the service catalog or manually by the user:

Tier	Approval Flow	Examples
Low	Auto-approve after first grant	Read-only APIs, dev environment keys
Medium	Session-scoped, one-tap approval	Deploy tokens, staging databases
High	Always prompt	Email/SMS services, production databases
Critical	Always prompt, explicit approval required	Payment processors, AWS root, accounting

Response Lenses

Lenses filter API responses before they reach the agent—not just "can you access this service" but "what can you see inside it."

Example: QuickBooks "Business View" Lens

An agent querying QuickBooks through the proxy with a Business View lens sees invoices, customers, and payments—but bank account numbers, SSNs, and tax IDs are replaced with [REDACTED]. The agent gets useful financial data without seeing sensitive fields. Two layers: schema-based per-service rules and universal pattern-based detection (SSNs, credit cards, private keys).

07 — The Least-Context Principle

Davy.Locker applies the principle of least privilege to credentials—agents only get the specific key they need, scoped to the exact action. But the same principle applies to something even more fundamental: the information agents are given to work with.

Context Is an Attack Surface

When an AI agent starts a task, it's typically loaded with context: conversation histories, memory files, project documentation, architectural notes, and credentials. The more context an agent has, the more information it could accidentally expose, misinterpret, or leak.

This isn't hypothetical. As AI workflows scale, developers routinely feed agents context from dozens of past sessions, multiple project architectures, and unrelated operational knowledge. The agent doesn't know what's relevant. It processes everything—and that creates two distinct problems:

Problem	What Happens	Real-World Impact
Context Pollution	Agent receives information irrelevant to the current task—architecture docs for a different project, optimization history from a completed experiment, credentials for services it won't touch	Output quality degrades. The agent gets confused by competing patterns, makes references to irrelevant systems, and produces less focused work. More context ≠ better results.
Information Leakage	Agent holds sensitive context—client names, financial data, proprietary frameworks, internal SOPs—that has nothing to do with the current task	A prompt injection or misbehaving agent can extract information it should never have had in the first place. The attack surface grows with every irrelevant document loaded into the context window.

Less Context, Better Agents

This is counterintuitive. The instinct is to give agents more context so they have everything they might need. But the evidence points the other way:

The Paradox of Context

An agent with 50 conversation histories, 12 memory files, and architectural docs for 4 projects doesn't perform better than one with just the 3 files relevant to the current task. It performs worse—because it spends capacity navigating irrelevant information instead of focusing on the objective.

Think of it like a bank teller. A teller who needs to process your deposit doesn't need access to the CEO's office, the loan department's files, or the security footage archive. Giving them that access doesn't help—it creates risk and slows them down. The best tellers have exactly what they need and nothing more.

This maps directly to Davy.Locker's architecture:

Layer	Least Privilege (Credentials)	Least Context (Information)
Access Control	Agent gets only the specific API key it needs	Agent gets only the project docs and context for the current task
Response Filtering	Lenses strip sensitive fields from API responses	Context scoping strips irrelevant knowledge bases before they enter the context window
Time Scoping	Grants expire when the session ends	Task-specific context loads at session start and evaporates when the objective is complete
Audit	Every credential use is logged	Every context access is logged—which knowledge bases were loaded, which were excluded, and why

Scoped Knowledge Grants

Davy.Locker's Portable AI Context Vault (Pillar 8) implements this as scoped knowledge grants—the same permission model used for credentials, applied to information:

Task declaration: When an objective is set ("deploy the webinar worker to Railway"), Davy.Locker determines the minimum context required: Railway config, Dockerfile, queue setup, and the relevant deployment SOP. Nothing else loads.
Knowledge scoping: Context files are organized in the vault the same way credentials are—by project, by domain, by sensitivity level. Agents receive grants to specific knowledge scopes, not blanket access to everything.
Automatic exclusion: Proprietary frameworks, client data, unrelated project architectures, and completed experiment histories stay locked in the vault unless explicitly granted. The agent's context window stays clean.
Session isolation: Each agent session starts with a clean context tailored to its objective. When the session ends, that context evaporates. No cross-contamination between tasks.

Security Benefit + Performance Benefit

Context scoping is rare in that it simultaneously improves both security and output quality. Fewer loaded documents means a smaller attack surface for information leakage. It also means the agent has less noise to navigate, producing sharper, more focused results. Protecting your agents from unnecessary information isn't just good security—it makes them better at their jobs.

08 — The Kraken: AI-Powered Security Officer

The Kraken is Davy.Locker's built-in AI Chief Security Officer. It continuously monitors audit logs, credential health, and agent behavior to detect threats before they become breaches.

Core Capabilities

Capability	What It Does
Anomaly Detection	Learns normal agent behavior patterns. Alerts on unusual access times, request volume spikes, new IP addresses, or credential access outside established patterns.
Grant Hygiene	"Agent research-bot hasn't used the Stripe credential in 90 days. Revoke?" Identifies over-provisioned agents and stale permissions.
Credential Health	Tracks key age, rotation status, and exposure risk. Flags credentials that haven't been rotated, are shared across too many agents, or show signs of compromise.
Security Score	Real-time security posture grade (A–F) across your entire agent fleet. Actionable recommendations to improve your score.
Emergency Response	When threats are detected: auto-rotate compromised credentials, revoke suspicious grants, quarantine agents, and notify the user—all within seconds.

Scenario: The Kraken Responds to a Threat

03:47 AM — Anomaly detected
Agent "research-bot" made 847 API requests in 12 minutes
Normal baseline: ~30 requests/hour

03:47 AM — Auto-response initiated
• Compromised credential auto-rotated (new key generated via Stripe API)
• Agent "research-bot" grant revoked and session terminated
• All other agents using Stripe credential: unaffected (new key injected automatically)
• Full incident audit log captured

03:48 AM — Alert sent to user via Slack + email
07:15 AM — User reviews incident report over coffee. Nothing was compromised.

09 — Auto-Rotation & Lockdown Protocol

Credential rotation is the most neglected security practice because it's painful. Davy.Locker makes it automatic.

Why Rotation Is Trivial With a Proxy

Because agents never hold raw credentials, rotating a key requires zero changes to any agent, config file, or deployment. The proxy is the single injection point:

Before rotation: Agent → Proxy → injects Key ABC123 → Stripe API After rotation (vault updated): Agent → Proxy → injects Key XYZ789 → Stripe API Agent unchanged. Config unchanged. Zero downtime.

Three Rotation Modes

Mode	Trigger	Process
Scheduled	Policy: every 30/60/90 days	Davy.Locker calls provider API, generates new key, updates vault. Notification sent.
Kraken-Triggered	Anomaly detected	Emergency rotation. Compromised key invalidated, new key issued, suspicious agent quarantined.
One-Click Manual	User clicks "Rotate Now"	Dashboard button handles provider API call and vault update in one action.

The Lockdown Protocol

When the Kraken detects a breach, the lockdown sequence executes automatically:

Slam the windows — Revoke the compromised agent's grant immediately
Re-roll the vault keys — Auto-rotate the affected credential via provider API
Quarantine the suspect — Flag the agent, block its session token
Update the innocents — All other agents get the new key automatically through the proxy
File the report — Full incident timeline, audit log, and response summary

Key Insight

The proxy architecture isn't just a security feature—it's the foundation that makes auto-rotation, The Kraken, and zero-downtime credential management all possible. Without a proxy sitting between the agent and the credential, rotation requires touching every config on every server. With it, you update the vault once and every agent gets the new key on their next request.

10 — Product Tiers: Credit Union vs. Mission Control

The Free Tier: "The Credit Union"

Small, local, yours. Full security, no compromise. The complete credential security runtime running on your own infrastructure. No account required, no cloud dependency, no tracking.

Full AES-256-GCM encrypted vault with all credential types
USE_ONLY proxy with scoped grants and response lenses
Complete audit log (local)
Unlimited agents, unlimited credentials
Self-hosted: laptop, VPS, AWS, Docker—anywhere
Open-source SDK (@davy/agent-auth)

The Paid Tier: "Mission Control"

The international bank. One command center for your entire agent fleet across every server, every project, every team member.

Everything in Free, plus:
Cloud dashboard—one pane of glass for all instances
Multi-server sync—connect all self-hosted nodes into one view
The Kraken—AI security monitoring, anomaly detection, auto-response
Auto-rotation—scheduled, triggered, and one-click
Team sharing—shared vaults, role-based access, invite members
Security score—real-time posture grade with recommendations
Alert system—Slack, email, and webhook notifications
Usage analytics—which agents use what, how often, when
Compliance export—one-click audit reports

The Upgrade Moment

Developers don't upgrade because the free tier is limited—it isn't. They upgrade when they have more than one server or more than one person. That's the natural inflection point where centralized visibility and team management become essential. No artificial limits. No "you've hit your credential cap." Just a real scale problem with a real solution.

11 — Feature Comparison

Feature	Free $0 forever	Pro ~$29/mo	Enterprise Custom
Encrypted vault (AES-256-GCM)	✓	✓	✓
All credential types (API keys, logins, notes, files)	✓	✓	✓
USE_ONLY agent proxy	✓	✓	✓
Response lenses (field-level redaction)	✓	✓	✓
Audit log	Local per server	Unified across all servers	Unified + retention policies
Grants & permissions	Per-server config	Central dashboard	Central + policy engine
Agents & credentials	Unlimited	Unlimited	Unlimited
Self-hosted deployment	✓	✓	✓
Cloud dashboard	—	✓	✓
Multi-server sync	—	Up to 10 nodes	Unlimited
The Kraken (AI security officer)	—	✓	✓ + custom rules
Auto-rotation	—	✓	✓
Security score & recommendations	—	✓	✓
Alert system (Slack / email / webhook)	—	✓	✓
Team sharing & roles	—	Up to 5 members	Unlimited + SSO/SAML
Credential rotation reminders	—	✓	✓
Grant hygiene reports	—	✓	✓
Usage analytics	—	✓	✓
Compliance export	—	Basic	SOC 2 evidence + DPA
Support	Community / GitHub	Priority	Dedicated + SLA

12 — Security & Cryptography

Cryptographic Foundations

Function	Algorithm	Implementation
Encryption at rest	AES-256-GCM	Web Crypto API (browser/Node native)
Key derivation	Argon2id	hash-wasm (WASM, no native deps)
Key exchange	X25519	tweetnacl (pure JS, audited)
Random generation	CSPRNG	Web Crypto `getRandomValues()`

Zero-Knowledge Architecture

Master password never leaves the device. It derives the encryption key locally via Argon2id, then is discarded.
Vault data is encrypted at rest. The file on disk is AES-256-GCM ciphertext. Without the master password, it's indistinguishable from random noise.
No telemetry, no cloud sync (free tier). The application runs entirely locally with no outbound connections.
Open-source cryptography. All crypto libraries are well-audited, NIST-approved, open-source implementations. No proprietary cryptographic code.

Threat Model

Threat	Mitigation
Agent prompt injection to exfiltrate credentials	USE_ONLY proxy—agent never has raw credential in context
Stolen vault file	AES-256-GCM + Argon2id—brute force infeasible
Compromised agent session	Session-scoped grants auto-expire; Kraken detects anomalies
Overprivileged agent	Risk tiers + grant hygiene reports + least-privilege defaults
Sensitive data in API responses	Response lenses + universal pattern-based redaction
Stale / compromised credentials	Auto-rotation (scheduled + Kraken-triggered)
Man-in-the-middle	TLS enforced on all proxy requests; X25519 for key exchange

13 — Compliance & Liability

Zero-Knowledge = Minimal Compliance Burden

Because Davy.Locker's free tier is entirely self-hosted with zero-knowledge encryption, the compliance burden falls on the infrastructure operator (the developer), not on Davy.Locker as a company. This is the same model used by KeePass, Bitwarden self-hosted, and Signal.

Scenario	Compliance Required	When
Open-source SDK, self-hosted	MIT/Apache 2.0 license only	Now
Cloud dashboard (metadata only)	Privacy policy, GDPR DPA	Paid tier launch
Team sharing with relay	SOC 2 Type I recommended	Team features launch
Enterprise customers	SOC 2 Type II, cyber insurance	Enterprise tier

Liability Shield

The self-hosted architecture means Davy.Locker never holds, transmits, or processes user credentials. This provides the same legal protection as any open-source security library: the software is provided "as-is" under standard open-source licensing. Compliance costs scale with revenue—SOC 2 certification is only necessary when cloud-hosted features and enterprise contracts justify the investment.

14 — Roadmap

Phase	Deliverable	Status
Phase 1	Agent Security MVP—crypto, vault, agent-auth, MCP server (59 tests)	Complete
Phase 1.5	Service catalog, response lenses, pattern redaction, CLI (94 tests)	Complete
Phase 2	Desktop app (Tauri) with vault UI, system tray notifications	In Progress
Phase 3	Auto-rotation engine + provider API integrations	Planned
Phase 4	The Kraken—AI monitoring, anomaly detection, security scoring	Planned
Phase 5	Cloud Mission Control—dashboard, multi-server sync, alerts	Planned
Phase 6	Team sharing—shared vaults, roles, encrypted transfers	Planned
Phase 7	Browser extension—autofill, form detection, password manager	Planned
Phase 8	2FA code relay—email monitoring, agent/team relay	Planned
Phase 9	Portable AI context vault—cloud sync, zero-footprint sessions	Planned
Phase 10	Security scanner—find exposed secrets across systems	Planned
Phase 11	Field-level DB encryption SDK	Planned

15 — Competitive Position

The Security Spectrum: Where Everyone Banks

Using the bank model, it's easy to see where each approach to credential security falls on the spectrum—and how far most developers have to travel to reach real security:

Level	Bank Equivalent	What It Looks Like	Who's Here
Level 0	Cash under the mattress	API keys hardcoded in source code, pasted in Slack messages, committed to Git repos. No encryption, no access control, no audit trail. Credentials visible to anyone with access to the codebase.	Alarmingly common—GitGuardian reports millions of secrets exposed in public repos every year
Level 1	A lockbox in the closet	`.env` files on disk. Marginally better—at least the keys aren't in source control (usually). But they're plaintext on the server, every process can read them, and agents get the raw values in memory. No rotation, no audit, no scoping.	93% of AI agent projects (the industry default)
Level 2	A home safe	Password managers (1Password, Bitwarden) or cloud secret managers (AWS Secrets Manager). Encrypted storage, but credentials are still copy-pasted out and given to agents as raw values. The safe is good; the transport is still unprotected.	Security-aware developers and enterprise teams
Level 3	A private vault with tellers and armored trucks	Davy.Locker Free. Encrypted vault + proxy injection + scoped grants + response lenses + audit log. Agents never see raw credentials. Full security on your own infrastructure.	Davy.Locker (Free Tier)
Level 4	A banking network with headquarters and security operations	Davy.Locker Mission Control. Everything in Level 3 + centralized dashboard, multi-server sync, The Kraken, auto-rotation, team sharing, compliance reporting. One command center for your entire operation.	Davy.Locker (Paid Tier)

The Gap

Most developers are at Level 0 or 1—cash under the mattress or a lockbox in the closet. The few who use password managers reach Level 2, but their agents still get raw credentials with no proxy, no scoping, and no audit trail. Nobody in the developer ecosystem is offering Level 3 or 4 today. That's the gap Davy.Locker fills.

Feature Comparison

Capability	Davy.Locker	1Password	HashiCorp Vault	.env Files
Agent-aware credential proxy	✓	—	—	—
USE_ONLY (use without seeing)	✓	—	—	—
Response lenses (field-level)	✓	—	—	—
Auto-rotation via proxy	✓	Partial	✓	—
AI anomaly detection	✓	—	—	—
Self-hosted / no vendor lock-in	✓	—	✓	✓
Developer self-serve (npm install)	✓	—	—	✓
Framework agnostic	✓	—	✓	✓
Zero ops overhead	✓	✓	—	✓
Agent audit trail	✓	Limited	✓	—
Free tier (full security)	✓	—	Open-source	✓

"Bank-grade security for your AI agents. Free."

When you're ready for the war room, upgrade to Mission Control.