Appearance
Secrets
This section covers Device-local secrets: the Factotum service that holds them, how callers access them without ever holding the raw bytes, and the rotation runbook.
Pages in this section
- Credential references — the lease/materialize discipline. How to use a credential without holding it.
- Factotum / secrets service — the full op surface, the on-disk layout, and the import flow.
- Secret rotation — rotation patterns per credential layer.
- No raw OAuth tokens on local host — the architectural rule, the threat model, and the four code-review consequences. (Mirrors the equivalent page in
docs-devicesbecause this is a cross-cutting rule.)
CLAUDE.md Rule 4
Credentials go through Factotum ONLY.
system.factotumis the ONE actor that reads/writes credential files. Inference credentials NEVER leave the local machine.
Every page in this section operationalizes that rule.