7 Semantic Layers

Independent encryption for every aspect of your AI orchestration stack.

0nVault organizes your AI orchestration context into 7 semantic layers. Each layer is encrypted independently with its own AES-256-GCM key, enabling granular access control in multi-party scenarios. Credentials receive double-encryption with Argon2id key derivation.

layers

AES-256

per layer

Argon2id

credentials

Layer Architecture

Workflows

Your .0n SWITCH files -- the orchestration logic that connects services, defines pipelines, and automates processes. Includes step definitions, conditions, transforms, and execution parameters.

Encryption: AES-256-GCMAccess: Owner + authorized parties

Credentials

Double-Encrypted

API keys, OAuth tokens, service passwords, and authentication secrets for all 26 connected services. Double-encrypted: first with Argon2id-derived key, then with the layer key.

Encryption: AES-256-GCM + Argon2idAccess: Owner only (default)

Environment Variables

Runtime configuration values, feature flags, endpoint URLs, and deployment-specific settings. Separated from credentials for different access control needs.

Encryption: AES-256-GCMAccess: Owner + DevOps

MCP Configurations

AI platform configurations for Claude Desktop, Cursor, Windsurf, Gemini, Continue, Cline, and OpenAI. Includes server definitions, tool registrations, and platform-specific settings.

Encryption: AES-256-GCMAccess: Owner + authorized platforms

Site Profiles

Website and application configurations, domain settings, deployment targets, and environment mappings. Links orchestration contexts to specific deployments.

Encryption: AES-256-GCMAccess: Owner + DevOps

AI Brain

Trained context, prompt templates, model preferences, fine-tuning parameters, and AI behavior configurations. The intelligence layer that makes your orchestration context-aware.

Encryption: AES-256-GCMAccess: Owner + AI systems

Audit Trail

Immutable execution logs, access records, modification history, and compliance data. Append-only by design -- entries can be added but never modified or deleted.

Encryption: AES-256-GCMAccess: Owner + auditors (read-only)

Credentials Double-Encryption

The credentials layer (L2) receives an extra layer of protection. Before being encrypted with the standard AES-256-GCM layer key, credential values are first encrypted with a key derived using Argon2id -- a memory-hard key derivation function resistant to GPU and ASIC attacks. This means that even if the layer key is compromised, credentials remain protected by the Argon2id-derived key.

credential_key = Argon2id(passphrase, salt, t=3, m=65536, p=4)encrypted = AES-256-GCM(layer_key, AES-256-GCM(credential_key, plaintext))

← Vault Container Multi-Party Escrow →