The credential vault replaces the old habit of putting API keys in env vars and referencing them with templates. Keys live encrypted in a vault, the YAML carries only a name (the ref). The runtime resolves the name at session start, decrypts in memory, hot-swaps onto the live provider client. The plaintext never enters the deployed bundle, never enters git, never sits in a log. Sixteen first-class providers ship with catalog entries, others fall back to inline config.
Engineering notes from the Digitorn team. No marketing, no launch announcements, no "10 prompts that will change your life". Just the things we write that we'd want to read.