Preview
Vault configuration
The vault.json schema, layer paths, the sync command, and all configuration keys.
Last updated: 2026-04-30
Vault configuration
Specification - implementation in progress. The
vault.jsonschema below is the specified interface. Field names and defaults are stable; some optional fields are not yet enforced by the runtime.
vault.json
Every vault requires a vault.json at its root. Minimal valid configuration:
{
"name": "my-company",
"tier": "L2",
"environment": "production"
}Full schema with all fields:
{
"name": "my-company",
"tier": "L2",
"environment": "production",
"data": {
"catalog": "plexifact://prod/catalog",
"default_connection_timeout_ms": 5000
},
"notifications": {
"default_channel": "slack",
"slack_webhook": "env:SLACK_WEBHOOK_URL"
},
"audit": {
"enabled": true,
"retention_days": 90,
"destination": "vault://audit-log/"
},
"sync": {
"auto": false,
"pre_run": false
},
"permissions": {
"who_can_edit_l2": ["ops-team"],
"who_can_create_agents": ["ops-team", "data-team"]
}
}Field reference
Required fields
| Field | Type | Description |
|---|---|---|
name | string | Unique identifier for this vault. Used in logs and CLI output. |
tier | "L1" | "L2" | "L3" | "L4" | Vault tier. Determines resolution priority and ownership. |
environment | "sandbox" | "staging" | "production" | Target environment. Agents will not deploy to production unless this is set to "production". |
data
| Field | Type | Default | Description |
|---|---|---|---|
data.catalog | string | - | PlexiFact catalog URI. Required for agents that use PlexiFact connector skills. |
data.default_connection_timeout_ms | integer | 5000 | Timeout in milliseconds for data source connections. |
notifications
| Field | Type | Default | Description |
|---|---|---|---|
notifications.default_channel | "slack" | "email" | "webhook" | "slack" | Default notification channel for agents that do not specify one. |
notifications.slack_webhook | string | - | Slack Incoming Webhook URL. Prefix with env: to reference an environment variable. |
audit
| Field | Type | Default | Description |
|---|---|---|---|
audit.enabled | boolean | true | Whether to log agent runs to the audit trail. |
audit.retention_days | integer | 90 | How many days to retain audit log entries. |
audit.destination | string | "vault://audit-log/" | Where to write audit entries. |
sync
| Field | Type | Default | Description |
|---|---|---|---|
sync.auto | boolean | false | If true, flexor sync runs automatically on flexor deploy. |
sync.pre_run | boolean | false | If true, Flexor syncs vault state before each agent run. Adds latency; useful in fast-iteration environments. |
Directory structure
A well-organized L2 vault follows this layout:
vault-company/
├── vault.json
├── skills/
│ ├── data-freshness-check.yaml
│ ├── lp-notification.yaml
│ └── reconciliation-alert.yaml
├── agents/
│ ├── feed-monitor.yaml
│ └── weekly-nav-report.yaml
├── knowledge/
│ ├── fund-parameters.md
│ ├── sla-thresholds.md
│ └── escalation-contacts.md
├── rules/
│ └── compliance.md
└── audit-log/
└── .gitkeepThe sync command
flexor sync [--vault <name>] [--dry-run]| Flag | Description |
|---|---|
--vault <name> | Sync a specific vault by name. Defaults to all vaults in scope. |
--dry-run | Print what would be synced without writing. |
--force | Sync even if the runtime reports no changes detected. |
After sync, agents running in the target environment see the updated vault state on their next trigger.
Was this page helpful?