[AVAILABLE] as a mechanism, [PARTIAL] as a system-wide guarantee.
packages/execution-control, packages/connector-sdk. See the scope note below before treating this as true of every connector.What it is
Credential resolution happens exclusively inside the gateway boundary, after every gateway check has passed. The caller that proposed the action, the Runtime, and the Policy Engine never see the credential a connector uses to actually act.Why it exists
If the entity proposing an action, increasingly an AI agent, ever held a live, reusable credential, every guarantee upstream (deterministic policy, signed authorization, gateway re-verification) would still leave that credential extractable and reusable outside the authorized flow. Credential isolation closes that gap structurally: there is no code path where a proposer receives a credential, because credentials are never routed to it in the first place.How it behaves
CredentialHandle is opaque, resolved material, { providerId, credentialId, value }.
CredentialVaultAdapter adapts any CredentialProvider into execution-control’s
CredentialVault interface, so InMemorySecureConnector resolves credentials through it
exactly as it always has. Two providers ship: StaticCredentialProvider (an in-memory map,
hermetic tests and local development only) and EnvironmentCredentialProvider (resolves
from process.env via a connector-to-variable-name mapping).
A session credential is issued, consumed exactly once, and can be revoked:
What “never leaks” means, precisely
ACredentialHandle’s value necessarily carries the resolved secret, a connector (e.g.
HttpConnector) needs it to set an Authorization header. What must never happen is the
secret reaching anywhere durable or observable outside that one ephemeral use:
- Never in
ConnectorEvidence.buildConnectorEvidenceonly ever readsConnectorRequest/ConnectorResponsefields, neverConnectorExecutionContext.credential.redactSensitiveKeysadditionally strips any response-metadata key that looks credential-shaped, as defense in depth against a connector author’s mistake. - Never in a thrown error. Both providers’ failure messages name only identifiers
(
connectorId, environment variable name), never a resolved value. Tested inpackages/connector-sdk/tests/unit/credential-provider.test.ts. - Never as a raw value reaching a Connector. Every
CredentialHandleis branded at creation (brandCredentialHandle);SdkConnectorExecutorrejects any credential that isn’t a branded handle. Tested end-to-end ingateway-integration.test.ts(“rejects a raw (non-provider-resolved) credential”). - Never in the Execution Trust Record. Only
ConnectorEvidence(never the handle itself) is placed onExecutionResult.metadata.connector, see Execution trust records.
Minimal example
[FUTURE]: cloud secret managers
Only theCredentialProvider interface seam is defined. No integration exists yet for
HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or Google Secret Manager. Any of
these would implement CredentialProvider exactly like EnvironmentCredentialProvider
does, no cloud SDK dependency has been added to this package, and none is implemented in
this milestone.
Next
Gateway attestation
The request-bound signature that authenticates the gateway to a connector.
Add a connector with the Connector SDK
What wiring a new connector into this seam actually requires.