Glossary¶

Key terms used throughout the machine identity & credential mediation documentation.

Adapter¶

A unit of provider-specific knowledge. Defines which hosts and paths it owns, how to detect a credential in an inbound response (escrow + surrogate), how to restore a placeholder in an outbound request, and which upstream signing scheme to use. Excalibur ships with 730+ built-in adapters.

Audit chain¶

The append-only log of every authentication, authorisation, and mediation decision the proxy makes. Each entry includes the hash of the previous entry. Tampering with a row breaks the chain everywhere downstream.

Attestation¶

A platform-issued, hardware-rooted document — Kubernetes projected SA token, AWS IMDS, GCP metadata identity token, GitHub Actions OIDC, TPM quote, SPIFFE — that the proxy verifies before minting a workload bearer.

Cryptographic mediation¶

The family of upstream auth where the proxy must sign the outbound request from a private key the workload must never see — JWT bearer assertions, DPoP proofs, upstream mTLS, AWS SigV4. Distinct from simple placeholder substitution.

Developer device¶

The principal kind for an overlay-network peer (typically NetBird). The peer's identity flows in from the overlay control plane; nothing additional is installed on the laptop.

DPoP¶

RFC 9449 sender-constrained access tokens. Each request carries a fresh signed proof header bound to the request URL and method. The proxy holds the proof key.

Egress policy¶

The global allow / block list of destination domains. Combined with namespace policy, decides whether a CONNECT is allowed.

Enforcement mode¶

The production posture. Adapters mutate traffic; unknown HTTP flows fail closed; raw non-HTTP TCP is blocked.

Escrow¶

The encrypted server-side store of real credentials. The workload has no read path to escrow.

Hash chain¶

See Audit chain.

Mediator / broker / proxy¶

The Excalibur process. Sits on the network path between workloads and upstreams.

Namespace¶

A hierarchical group of workloads (prod, prod/payments, prod/payments/eu-west). Each namespace can carry its own egress allow-list. Children may only narrow the parent.

Onboarding candidate¶

An unmanaged credential observed in live outbound traffic. Surfaces on the Onboarding page so an operator can adopt it as a managed placeholder without ever copying the secret value.

Operating mode¶

One of discovery, shadow, enforcement. See Concept & trust model — three operating modes.

Placeholder¶

The public, inert label the workload holds in place of a real credential. Format: XCALIBUR_<UPPERCASE_NAME>. Useless outside the proxy.

Principal¶

The canonical identity of a caller. Four kinds: user_session, service, workload, developer_device.

Provider¶

The upstream service whose credentials are being mediated (stripe, github, aws, bank, …). Adapters and translation rules match on it.

Proxy bearer¶

A short-lived bearer token Excalibur mints to authenticate a workload to itself. Distinct from the upstream provider's bearer — it is useless against any provider directly.

RBAC¶

Token-based role-based access control on the control API. Roles: viewer, operator, admin, break-glass.

Service credential¶

A long-lived operator-minted bearer bound to a source CIDR. The identity for long-running servers, batch jobs, build runners.

Shadow mode¶

Adapters run against live traffic but their output is compared, not applied. Used to gain confidence before flipping to enforcement.

SigV4¶

The AWS request-signing algorithm (AWS4-HMAC-SHA256). Excalibur holds the IAM access key and signs canonical requests, including streaming and trailer-checksum variants.

Surrogate¶

The opaque artifact the proxy returns to the workload inbound in place of a real credential the upstream issued (e.g. a session cookie, an OAuth refresh token). The workload presents the surrogate on subsequent calls; the proxy restores the real value upstream.

Translation authorisation¶

The fail-closed authorisation layer that decides whether a given principal may redeem a given placeholder against a given provider and route. Default is deny — see Translation rules.

Token exchange¶

RFC 8693. The mechanism by which a workload trades a platform-issued attestation document for a short-lived proxy bearer. Stock HTTP POST; nothing Excalibur-specific runs on the workload.

Workload¶

The principal kind for an attestation-identified caller, typically a Kubernetes pod, a GitHub Actions job, or a cloud workload.