vaultkeep 0.1.0

Local-first immutable document vault engine for the Hearth ecosystem

Vaultkeep

Vaultkeep is a local-first immutable document vault engine for the Hearth ecosystem. It provides infrastructure for storing files, indexing metadata, verifying integrity, and versioning documents without UI, cloud storage, authentication, or business logic.

Vaultkeep integrates with Ember records via linked_record_id references. It does not depend on Ember internals.

Philosophy

Documents are immutable. Vaultkeep never overwrites stored files. When content changes, a new version is created and linked to its parent. Every document carries metadata and a SHA-256 checksum. The filesystem layer is abstracted behind a pluggable backend; encryption is hook-based and optional.

Vaultkeep is infrastructure: reusable, modular, and oriented toward embedding in higher-level applications.

Responsibilities

Concern	Module
Local file storage	storage/
Metadata index (SQLite)	metadata/
SHA-256 integrity	integrity/
Immutable versioning	versioning/
Encryption hooks	hooks/
HTTP retrieval API	api/

Storage Layout

vault/
  documents/
    {circle_id}/
      {linked_record_id}/
        {document_id}/
          filename.ext
  metadata.db          # SQLite index (default path)

Metadata Fields

Each indexed document includes:

• document_id, original_filename, mime_type, file_size
• checksum_sha256
• linked_record_id, circle_id
• version, parent_document_id
• storage_path, created_at

Requirements

• Python 3.12+
• uv (recommended)

Installation

uv sync --all-extras

Usage

Programmatic ingestion

from pathlib import Path
from vaultkeep import VaultConfig, VaultService
from vaultkeep.schemas.document import DocumentCreate

service = VaultService(VaultConfig())
result = service.ingest_file(
    Path("contract.pdf"),
    DocumentCreate(
        linked_record_id="ember-record-uuid",
        circle_id="circle-uuid",
        original_filename="contract.pdf",
    ),
)
print(result.document.document_id)

HTTP API

uv run vaultkeep
# or
uv run python examples/run_api.py

Method	Path	Description
POST	/api/v1/documents/upload	Ingest file (linked_record_id, circle_id form fields)
GET	/api/v1/documents/{document_id}	Metadata
GET	/api/v1/documents/{document_id}/content	File bytes (checksum verified)
GET	/api/v1/documents/linked/{linked_record_id}	List by Ember record
POST	/api/v1/documents/versions	New immutable version

Configuration

Environment variables (prefix VAULTKEEP_):

Variable	Default
VAULTKEEP_VAULT_ROOT	vault
VAULTKEEP_DATABASE_URL	sqlite:///vault/metadata.db
VAULTKEEP_LOG_LEVEL	INFO

Encryption Hooks

Encryption is not implemented by default. Register a custom hook:

from vaultkeep.hooks.encryption import EncryptionHook, set_encryption_hook

class MyEncryption(EncryptionHook):
    def encrypt(self, source, *, document_id: str) -> bytes: ...
    def decrypt(self, data: bytes, *, document_id: str) -> bytes: ...

set_encryption_hook(MyEncryption())

Entry points: encrypt_document() and decrypt_document().

Testing

uv run pytest

Project Layout

src/vaultkeep/
  storage/      # Filesystem backends
  metadata/     # SQLAlchemy repository
  integrity/    # Checksums, duplicates, corruption detection
  versioning/   # Version lineage
  hooks/        # Pluggable encryption
  models/       # ORM models
  schemas/      # Pydantic v2 models
  api/          # FastAPI routes
  utils/        # Logging, ID generation
tests/
examples/
docs/
vault/          # Runtime data directory

Design Constraints

Vaultkeep intentionally excludes:

• User authentication and authorization
• Cloud object storage providers
• Frontend/UI components
• OCR, AI, or realtime sync
• Direct Ember package dependencies

License

MIT