ShrouDB
Get started
Deployment

Moat

All nine engines in a single binary, dual protocol, one config.

Why Moat

  • Single process hosts every engine — zero inter-service hops.
  • Dual protocol: HTTP on :8200, TCP on :8201, same commands.
  • Scope-based auth applies across every engine.
  • Runtime CONFIG commands — no restart to change rotation or limits.
  • Clustering for HA (beta).

Full configuration

moat.toml
[server]
http_bind = ":8200"
bind      = ":8201"

[storage]
dir        = "/var/lib/shroudb"
encryption = "aes-256-gcm"

[engines.sigil]
enabled = true
[engines.sigil.keyspaces.jwt]
type        = "jwt"
algorithm   = "ES256"
default_ttl = "1h"

[engines.cipher]
enabled = true
[engines.cipher.keyrings.payments]
algorithm = "aes-256-gcm"

[engines.stash]
enabled = true
[engines.stash.storage]
backend = "s3"
bucket  = "myorg-stash"

[engines.veil]
enabled = true

[engines.keep]
enabled = true

[engines.forge]
enabled = false

[engines.sentry]
enabled = true
policy_dir = "/etc/shroudb/policies"

[engines.courier]
enabled = false

[engines.chronicle]
enabled = true
retention_days = 30

[access]
mode = "token"

[[access.policies]]
token  = "${APP_TOKEN}"
scopes = [
  "cipher:encrypt/payments",
  "sigil:verify/*",
  "keep:get/secrets/app/*",
]

[cluster]
enabled = false
node_id = "moat-1"
peers   = []

Meta-commands

CommandArgsDescription
AUTH<token>Authenticate the connection
ENGINE<name>Switch engine context
PINGKeepalive
HEALTHProcess health summary

Scope format

Scopes use the pattern engine:verb/resource. Wildcards are supported at any segment.

examples
*:*/*                           # full access
cipher:encrypt/payments         # encrypt under payments keyring only
sigil:verify/*                  # verify any credential
keep:get/secrets/app/*          # read app secrets only
chronicle:query/*               # read audit stream

Related