severino-vault-engine 0.1.0__tar.gz

severino_vault_engine-0.1.0/.gitignore

@@ -0,0 +1,5 @@
+.venv/
+__pycache__/
+*.pyc
+.uv/
+uv.lock

severino_vault_engine-0.1.0/PKG-INFO

@@ -0,0 +1,70 @@
+Metadata-Version: 2.4
+Name: severino-vault-engine
+Version: 0.1.0
+Summary: Domain-agnostic vault-governance engine: frontmatter schema profiles, indexing, ranked search, a task ledger, atomic writes, and a composable MCP core (register_core). The reusable core behind severino-vault-mcp and severino-edu-mcp.
+Project-URL: Homepage, https://github.com/joeseverino/vault-engine
+Project-URL: Issues, https://github.com/joeseverino/vault-engine/issues
+Author-email: Joseph Severino <github@jseverino.com>
+License-Expression: MIT
+Keywords: frontmatter,local-first,mcp,model-context-protocol,obsidian,vault
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.11
+Requires-Dist: cordon-emit
+Requires-Dist: mcp>=1.27
+Requires-Dist: starlette>=1.0.1
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.6; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# vault-engine
+
+A domain-agnostic **vault-governance engine** — the reusable core behind
+[`severino-vault-mcp`](https://github.com/joeseverino/severino-vault-mcp) and
+`severino-edu-mcp`. It governs a Git-backed, frontmatter-tagged Markdown vault
+(Obsidian-style) and exposes that governance both as a library and as a
+composable MCP tool surface.
+
+## What's in it
+
+- **`SchemaProfile`** — a vault's frontmatter contract (doc-types, statuses,
+  id-prefixes, the task lifecycle), with `as_dict()` (HQ/CI contract) and
+  `check_doc_enums()`. One engine, many profiles: a different vault is a
+  different profile, not a fork.
+- **Index + search** — a lenient frontmatter index and ranked, section-scoped
+  retrieval (`find_sections`) that returns menus, never raw bodies.
+- **Task ledger** — `doc_type: task` docs derived from the index, with a
+  validated write path.
+- **Atomic writes** — a single serializer and `atomic_write_text` /
+  `transactional_replace`, so every writer shares one escaping + durability rule.
+- **`register_core(mcp, ctx)`** — composes the generic MCP tools (search, doc
+  read with a sensitivity gate, project inventory, daily progress, the task
+  ledger, schema-validated frontmatter writes) onto any FastMCP server.
+
+## Install
+
+```bash
+pip install vault-engine        # or:  uv add vault-engine
+```
+
+## Use
+
+```python
+from vault_engine.config import Config
+from vault_engine.context import ServerContext
+from vault_engine.core_tools import register_core
+from mcp.server.fastmcp import FastMCP
+
+ctx = ServerContext(Config.from_env())          # your vault + profile
+mcp = FastMCP("my-vault-mcp")
+register_core(mcp, ctx)                          # + your own tool groups
+```
+
+The servers in the family own only their domain (writeup/topology tools, course
+tools) and a thin entrypoint; everything generic lives here.

severino_vault_engine-0.1.0/README.md

@@ -0,0 +1,45 @@
+# vault-engine
+
+A domain-agnostic **vault-governance engine** — the reusable core behind
+[`severino-vault-mcp`](https://github.com/joeseverino/severino-vault-mcp) and
+`severino-edu-mcp`. It governs a Git-backed, frontmatter-tagged Markdown vault
+(Obsidian-style) and exposes that governance both as a library and as a
+composable MCP tool surface.
+
+## What's in it
+
+- **`SchemaProfile`** — a vault's frontmatter contract (doc-types, statuses,
+  id-prefixes, the task lifecycle), with `as_dict()` (HQ/CI contract) and
+  `check_doc_enums()`. One engine, many profiles: a different vault is a
+  different profile, not a fork.
+- **Index + search** — a lenient frontmatter index and ranked, section-scoped
+  retrieval (`find_sections`) that returns menus, never raw bodies.
+- **Task ledger** — `doc_type: task` docs derived from the index, with a
+  validated write path.
+- **Atomic writes** — a single serializer and `atomic_write_text` /
+  `transactional_replace`, so every writer shares one escaping + durability rule.
+- **`register_core(mcp, ctx)`** — composes the generic MCP tools (search, doc
+  read with a sensitivity gate, project inventory, daily progress, the task
+  ledger, schema-validated frontmatter writes) onto any FastMCP server.
+
+## Install
+
+```bash
+pip install vault-engine        # or:  uv add vault-engine
+```
+
+## Use
+
+```python
+from vault_engine.config import Config
+from vault_engine.context import ServerContext
+from vault_engine.core_tools import register_core
+from mcp.server.fastmcp import FastMCP
+
+ctx = ServerContext(Config.from_env())          # your vault + profile
+mcp = FastMCP("my-vault-mcp")
+register_core(mcp, ctx)                          # + your own tool groups
+```
+
+The servers in the family own only their domain (writeup/topology tools, course
+tools) and a thin entrypoint; everything generic lives here.

severino_vault_engine-0.1.0/pyproject.toml

@@ -0,0 +1,66 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "severino-vault-engine"
+version = "0.1.0"
+description = "Domain-agnostic vault-governance engine: frontmatter schema profiles, indexing, ranked search, a task ledger, atomic writes, and a composable MCP core (register_core). The reusable core behind severino-vault-mcp and severino-edu-mcp."
+readme = "README.md"
+requires-python = ">=3.11"
+license = "MIT"
+authors = [{ name = "Joseph Severino", email = "github@jseverino.com" }]
+keywords = [
+    "mcp",
+    "model-context-protocol",
+    "obsidian",
+    "frontmatter",
+    "local-first",
+    "vault",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Software Development :: Libraries",
+]
+dependencies = [
+    "mcp>=1.27",
+    "starlette>=1.0.1",
+    # cordon's Python reference emitter — the single source for the command-surface
+    # contract (cli_introspect.py is a thin binding). Resolved from cordon's main
+    # via the git source below.
+    "cordon-emit",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0",
+    "ruff>=0.6",
+]
+
+[project.urls]
+Homepage = "https://github.com/joeseverino/vault-engine"
+Issues = "https://github.com/joeseverino/vault-engine/issues"
+
+[tool.uv.sources]
+cordon-emit = { git = "https://github.com/joeseverino/cordon", subdirectory = "emitters/python" }
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/vault_engine"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py311"
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "I", "B", "UP", "SIM"]
+ignore = ["E501"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "-ra --strict-markers"
+pythonpath = ["src"]

severino_vault_engine-0.1.0/src/vault_engine/__init__.py

@@ -0,0 +1,11 @@
+"""vault-engine — a domain-agnostic vault-governance engine.
+
+The reusable core extracted from severino-vault-mcp: a frontmatter
+``SchemaProfile`` framework, a lenient vault index, ranked section search, a
+task ledger, atomic/transactional writes, a sensitivity gate, and a composable
+MCP tool surface (``register_core``). Servers (severino-vault-mcp,
+severino-edu-mcp) compose this engine against their own vault + profile; the
+engine itself carries no server or domain knowledge.
+"""
+
+__version__ = "0.1.0"

severino_vault_engine-0.1.0/src/vault_engine/atomic_write.py

@@ -0,0 +1,119 @@
+"""Durable file replacement primitives shared by every vault writer.
+
+Both the single-file generic frontmatter writers and the multi-file writeup
+transaction need the same staged-tempfile + ``fsync`` + ``os.replace`` dance to
+avoid truncating a doc on a failed write. Centralizing it here means there is
+one implementation of "replace a file durably," and the transactional path is
+just the locked, multi-file generalization of :func:`atomic_write_text`.
+"""
+
+from __future__ import annotations
+
+import fcntl
+import hashlib
+import os
+import tempfile
+from contextlib import suppress
+from pathlib import Path
+
+
+def _stage_sibling(path: Path, data: bytes, *, prefix: str) -> Path:
+    """Write ``data`` to a flushed, fsynced sibling temp file and return it.
+
+    Staging in the target's own directory keeps the later ``os.replace`` atomic
+    (same filesystem) and leaves the original intact until the rename succeeds.
+    """
+    with tempfile.NamedTemporaryFile(
+        mode="wb",
+        dir=path.parent,
+        prefix=prefix,
+        delete=False,
+    ) as handle:
+        handle.write(data)
+        handle.flush()
+        os.fsync(handle.fileno())
+        return Path(handle.name)
+
+
+def atomic_write_text(path: Path, text: str) -> None:
+    """Durably replace one text file through a sibling temporary file."""
+    staged: Path | None = None
+    try:
+        staged = _stage_sibling(
+            path,
+            text.encode("utf-8"),
+            prefix=f".{path.name}.svmc-",
+        )
+        os.replace(staged, path)
+        staged = None
+    finally:
+        if staged is not None:
+            with suppress(FileNotFoundError):
+                staged.unlink()
+
+
+def transactional_replace(
+    root: Path,
+    replacements: dict[Path, str],
+) -> tuple[bool, str | None]:
+    """Stage all replacements, then replace under a lock with rollback.
+
+    Every target is staged first; under an exclusive lock keyed to ``root`` the
+    files are checked for concurrent modification and then replaced. Any failure
+    rolls back the files already swapped, so the set lands all-or-nothing.
+    """
+    if not replacements:
+        return True, None
+
+    originals = {path: path.read_bytes() for path in replacements}
+    staged: dict[Path, Path] = {}
+    replaced: list[Path] = []
+    lock_key = hashlib.sha256(str(root.resolve()).encode()).hexdigest()[:16]
+    lock_path = Path(tempfile.gettempdir()) / f"svmc-writeups-{lock_key}.lock"
+    try:
+        for path, text in replacements.items():
+            staged[path] = _stage_sibling(
+                path,
+                text.encode("utf-8"),
+                prefix=f".{path.name}.svmc-",
+            )
+
+        with lock_path.open("a+b") as lock_handle:
+            fcntl.flock(lock_handle.fileno(), fcntl.LOCK_EX)
+            try:
+                for path, original in originals.items():
+                    if path.read_bytes() != original:
+                        raise RuntimeError(
+                            f"file changed during transaction: {path}"
+                        )
+                for path in sorted(replacements, key=str):
+                    os.replace(staged[path], path)
+                    replaced.append(path)
+            except (OSError, RuntimeError) as exc:
+                rollback_errors: list[str] = []
+                for path in reversed(replaced):
+                    try:
+                        rollback_path = _stage_sibling(
+                            path,
+                            originals[path],
+                            prefix=f".{path.name}.rollback-",
+                        )
+                        os.replace(rollback_path, path)
+                    except OSError as rollback_exc:
+                        rollback_errors.append(f"{path}: {rollback_exc}")
+                detail = str(exc)
+                if rollback_errors:
+                    detail += "; rollback errors: " + "; ".join(rollback_errors)
+                return False, detail
+            finally:
+                fcntl.flock(lock_handle.fileno(), fcntl.LOCK_UN)
+        return True, None
+    except OSError as exc:
+        return False, str(exc)
+    finally:
+        for path in staged.values():
+            with suppress(FileNotFoundError):
+                path.unlink()
+
+
+__all__ = ["atomic_write_text", "transactional_replace"]

severino_vault_engine-0.1.0/src/vault_engine/brief_service.py

@@ -0,0 +1,98 @@
+"""Vault brief: the deterministic "state of the vault" aggregate.
+
+One emit-once source for the doc-side vault facts an agent otherwise re-derives
+every session — recent changes, docs overdue for review, and inbox backlog —
+so the `brief` shell tool can compose them with repo and writeup state in a
+single cheap read instead of inferring from raw files.
+
+FastMCP-free (the service spine): the same code backs both the MCP and the CLI.
+Writeup state keeps its own owner (`writeup_service` / `list-writeups`); this
+stays doc-focused so each fact has exactly one owner.
+"""
+
+from __future__ import annotations
+
+from datetime import date
+from typing import Any
+
+from .task_service import list_tasks
+from .vault import VaultLoader
+from .vault_query_service import recent_changes
+
+
+def _age_days(iso: str | None) -> int | None:
+    """Days since an ISO `last_reviewed` date, or None if absent/unparseable."""
+    if not iso:
+        return None
+    try:
+        year, month, day = (int(part) for part in iso[:10].split("-"))
+        return (date.today() - date(year, month, day)).days
+    except (ValueError, IndexError):
+        return None
+
+
+def vault_brief(
+    loader: VaultLoader,
+    *,
+    days: int = 7,
+    review_after_days: int = 180,
+    recent_limit: int = 15,
+) -> dict[str, Any]:
+    """Doc-side vault state in one structured payload.
+
+    - `recent_changes`: vault commits in the indexed dirs over the last `days`.
+    - `docs_to_review`: indexed docs whose `last_reviewed` is older than
+      `review_after_days`, newest-stale first.
+    - `inbox`: count of top-level `00 Inbox/*.md` captures.
+    """
+    review_after_days = max(0, int(review_after_days))
+    idx = loader.index()
+
+    changes = recent_changes(loader, days, recent_limit)
+    commits = changes.get("commits", []) if isinstance(changes, dict) else []
+    changes_error = changes.get("error") if isinstance(changes, dict) else None
+
+    stale: list[dict[str, Any]] = []
+    for doc in idx.docs:
+        age = _age_days(doc.last_reviewed)
+        if age is not None and age > review_after_days:
+            stale.append(
+                {
+                    "doc_id": doc.doc_id,
+                    "title": doc.title,
+                    "obsidian_path": doc.relative_path,
+                    "last_reviewed": doc.last_reviewed,
+                    "age_days": age,
+                }
+            )
+    stale.sort(key=lambda entry: entry["age_days"], reverse=True)
+
+    inbox_dir = loader.config.vault_path / "00 Inbox"
+    inbox_count = sum(1 for _ in inbox_dir.glob("*.md")) if inbox_dir.is_dir() else 0
+
+    # Tasks are doc-side vault data; the board's owner (list_tasks) summarizes
+    # them so the brief surfaces open work + stale debt without re-deriving.
+    board = list_tasks(loader)
+    tasks_summary = {
+        "open": board["count"],  # open + active
+        "total": board["total"],
+        "stale": board["counts"]["stale"],
+        "stale_slugs": [t["slug"] for t in board["tasks"] if t["stale"]][:8],
+    }
+
+    recent: dict[str, Any] = {"days": days, "count": len(commits), "commits": commits}
+    if changes_error:
+        recent["error"] = changes_error
+
+    return {
+        "ok": True,
+        "vault_doc_count": len(idx.docs),
+        "recent_changes": recent,
+        "docs_to_review": {
+            "after_days": review_after_days,
+            "count": len(stale),
+            "docs": stale,
+        },
+        "inbox": {"count": inbox_count},
+        "tasks": tasks_summary,
+    }

severino_vault_engine-0.1.0/src/vault_engine/cli_introspect.py

@@ -0,0 +1,45 @@
+"""Emit the repo's command surface — bound to cordon's reference emitter.
+
+The "Code/guards" leg of emit-once, render-many (see the vault decision record
+`report-emit-once-render-many` and `docs/federated-retrieval.md`): the argparse
+parser in `cli.build_parser` *is* the command surface, so we introspect it rather
+than restate it in prose. One emitter, three consumers — an AI session reads the
+JSON token-minimally instead of parsing `AGENTS.md`, a TUI renders it as a command
+picker, and a guard can diff it. It can't drift from `--help` because it is
+generated from the same parser that produces `--help`.
+
+This is now a thin binding over **cordon's Python reference emitter**
+(`cordon_emit`, the `cordon-emit` dependency) rather than a private copy: cordon
+owns the algorithm and the schema, and we converge on its output, so
+`tools describe --repos` folds this CLI in as a homogeneous sibling and validates
+every member against the one `cordon-v4.json`. Per-command blast radius is
+declared with `cordon_emit.set_effect` on each subparser in `cli.build_parser`;
+the emitter reads it back here. All this module adds is this repo's inventory
+coordinates (`group` / `order`).
+"""
+
+from __future__ import annotations
+
+import argparse
+from typing import Any
+
+from cordon_emit import describe_parser as _emit
+
+# This MCP's coordinates when folded into the federated surface. Uniqueness of
+# `order` is enforced within a repo's own tools, not across siblings, so a fixed
+# pair is correct: this repo presents as one sibling, not a tool list.
+GROUP = "Vault MCP"
+ORDER = 1
+
+
+def describe_parser(parser: argparse.ArgumentParser) -> dict[str, Any]:
+    """Project the CLI parser to a complete Cordon v4 document via cordon's emitter.
+
+    Returns the full ``{ok, schema_version, ...}`` envelope. Tool-level effect is
+    ``read`` (the entry point only dispatches); per-command effects come from the
+    ``set_effect`` annotations in :func:`cli.build_parser`.
+    """
+    return _emit(parser, group=GROUP, order=ORDER)
+
+
+__all__ = ["describe_parser"]

severino_vault_engine-0.1.0/src/vault_engine/config.py

@@ -0,0 +1,202 @@
+"""Configuration from TOML plus environment-variable overrides.
+
+The package is single-user by design: it runs locally as a stdio MCP server
+and reads files the local account can already read. A config file keeps
+personal vault paths and integration details out of the repository, while
+environment variables remain convenient for tests and one-off runs.
+"""
+
+from __future__ import annotations
+
+import os
+import tomllib
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+DEFAULT_CONFIG_PATH = "~/.config/severino-vault-mcp/config.toml"
+
+
+def _expand_path(raw: str | Path) -> Path:
+    return Path(os.path.expanduser(str(raw)))
+
+
+def _env_path(name: str, default: str | Path) -> Path:
+    raw = os.environ.get(name)
+    if raw is None:
+        return _expand_path(default)
+    return _expand_path(raw)
+
+
+def _env_list(name: str, default: tuple[str, ...] | list[str]) -> tuple[str, ...]:
+    raw = os.environ.get(name)
+    if raw is None:
+        return tuple(default)
+    return tuple(part for part in raw.split(":") if part)
+
+
+def _env_bool(name: str, default: bool = False) -> bool:
+    raw = os.environ.get(name)
+    if raw is None:
+        return default
+    return raw.strip().lower() in {"1", "true", "yes", "on"}
+
+
+def _read_config(path: Path) -> dict[str, Any]:
+    try:
+        with path.open("rb") as handle:
+            data = tomllib.load(handle)
+    except FileNotFoundError:
+        return {}
+    except (OSError, tomllib.TOMLDecodeError):
+        return {}
+    return data if isinstance(data, dict) else {}
+
+
+def _section(data: dict[str, Any], name: str) -> dict[str, Any]:
+    value = data.get(name, {})
+    return value if isinstance(value, dict) else {}
+
+
+def _value(section: dict[str, Any], key: str, default: Any) -> Any:
+    value = section.get(key, default)
+    return default if value is None else value
+
+
+@dataclass(frozen=True)
+class Config:
+    vault_path: Path
+    indexed_dirs: tuple[str, ...]
+    daily_notes_dir: str
+    aliases_path: Path
+    topology_path: Path
+    infra_datasets_path: Path
+    metadata_url: str
+    cache_seconds: int
+    allow_secret_adjacent_unlock: bool
+    secret_unlock_hash: str | None
+    secret_unlock_hash_file: Path
+    secret_unlock_keychain_service: str
+    secret_unlock_keychain_account: str
+    secret_unlock_audit_log: Path
+
+    @classmethod
+    def from_env(cls) -> Config:
+        config_path = _env_path("SVMC_CONFIG", DEFAULT_CONFIG_PATH)
+        data = _read_config(config_path)
+        vault = _section(data, "vault")
+        metadata = _section(data, "metadata")
+        cache = _section(data, "cache")
+        # The `secret_adjacent` config section and the SVMC_SECRET_ADJACENT_*
+        # env vars below are a backward-compat shim from the rename to
+        # `restricted` (see schema.py). Retire them — the second leg of each
+        # `os.environ.get(..., os.environ.get("SVMC_SECRET_ADJACENT_...))` — once
+        # no local config predates 2026-06; tracked as cleanup, not load-bearing.
+        unlock = _section(data, "restricted") or _section(data, "secret_adjacent")
+
+        indexed_dirs = _value(
+            vault,
+            "indexed_dirs",
+            # "07 Backlog" holds the cross-cutting task slice; project tasks
+            # live under "01 Projects/<project>/tasks/" and are already covered.
+            ["01 Projects", "02 Infrastructure", "03 Runbooks", "07 Backlog"],
+        )
+        if isinstance(indexed_dirs, str):
+            indexed_dirs = [part for part in indexed_dirs.split(":") if part]
+
+        vault_path = _env_path(
+            "SVMC_VAULT_PATH",
+            _value(vault, "path", "~/Documents/vault"),
+        )
+
+        aliases = _section(data, "aliases")
+        aliases_default = vault_path / ".svmc" / "aliases.toml"
+
+        topology = _section(data, "topology")
+        topology_default = (
+            vault_path / "02 Infrastructure" / "Topology" / "topology.json"
+        )
+
+        infra = _section(data, "infra_datasets")
+        infra_default = vault_path / "02 Infrastructure" / "_infra-datasets.json"
+
+        return cls(
+            vault_path=vault_path,
+            daily_notes_dir=str(
+                os.environ.get(
+                    "SVMC_DAILY_NOTES_DIR",
+                    _value(vault, "daily_notes_dir", "00 Inbox/Daily Note"),
+                )
+            ),
+            aliases_path=_env_path(
+                "SVMC_ALIASES_PATH",
+                _value(aliases, "path", aliases_default),
+            ),
+            topology_path=_env_path(
+                "SVMC_TOPOLOGY_PATH",
+                _value(topology, "path", topology_default),
+            ),
+            infra_datasets_path=_env_path(
+                "SVMC_INFRA_DATASETS_PATH",
+                _value(infra, "path", infra_default),
+            ),
+            indexed_dirs=_env_list("SVMC_INDEXED_DIRS", tuple(indexed_dirs)),
+            metadata_url=os.environ.get(
+                "SVMC_METADATA_URL",
+                str(_value(metadata, "url", "")),
+            ),
+            cache_seconds=int(os.environ.get(
+                "SVMC_CACHE_SECONDS",
+                str(_value(cache, "seconds", 30)),
+            )),
+            allow_secret_adjacent_unlock=_env_bool(
+                "SVMC_ALLOW_RESTRICTED_UNLOCK",
+                _env_bool(
+                    "SVMC_ALLOW_SECRET_ADJACENT_UNLOCK",
+                    bool(_value(unlock, "allow_unlock", False)),
+                ),
+            ),
+            secret_unlock_hash=os.environ.get(
+                "SVMC_RESTRICTED_UNLOCK_HASH",
+                os.environ.get(
+                    "SVMC_SECRET_ADJACENT_UNLOCK_HASH",
+                    _value(unlock, "hash", None),
+                ),
+            ),
+            secret_unlock_hash_file=_env_path(
+                "SVMC_RESTRICTED_UNLOCK_HASH_FILE",
+                os.environ.get(
+                    "SVMC_SECRET_ADJACENT_UNLOCK_HASH_FILE",
+                    _value(
+                        unlock,
+                        "hash_file",
+                        "~/.config/severino-vault-mcp/restricted-unlock.sha256",
+                    ),
+                ),
+            ),
+            secret_unlock_keychain_service=os.environ.get(
+                "SVMC_RESTRICTED_UNLOCK_KEYCHAIN_SERVICE",
+                os.environ.get(
+                    "SVMC_SECRET_ADJACENT_UNLOCK_KEYCHAIN_SERVICE",
+                    str(_value(unlock, "keychain_service", "severino-vault-mcp")),
+                ),
+            ),
+            secret_unlock_keychain_account=os.environ.get(
+                "SVMC_RESTRICTED_UNLOCK_KEYCHAIN_ACCOUNT",
+                os.environ.get(
+                    "SVMC_SECRET_ADJACENT_UNLOCK_KEYCHAIN_ACCOUNT",
+                    str(_value(unlock, "keychain_account", "restricted-unlock")),
+                ),
+            ),
+            secret_unlock_audit_log=_env_path(
+                "SVMC_RESTRICTED_UNLOCK_AUDIT_LOG",
+                os.environ.get(
+                    "SVMC_SECRET_ADJACENT_UNLOCK_AUDIT_LOG",
+                    _value(
+                        unlock,
+                        "audit_log",
+                        "~/.local/state/severino-vault-mcp/audit.log",
+                    ),
+                ),
+            ),
+        )