openrig.dev

Secrets Manager

Published April 2026

1 node · 1 podclaude-code + Vault environment
agent-managed-softwaresecretsvault

Secrets Manager is the smallest example of agent-managed software in the shipped library. OpenRig boots HashiCorp Vault alongside a specialist agent that knows how to inspect and operate it.

The operator flow is direct: confirm the service is healthy, send a task to the specialist, then verify the result in Vault itself.

# Boot the rig
rig up secrets-manager

# Confirm the managed service is healthy
rig env status secrets-manager

# Dispatch work to the specialist
rig send vault-specialist@secrets-manager "show me the demo/remotion-shot secret" --verify
Workflow pair
Health check, then dispatch

The rig exposes both the service-health surface and the specialist-agent surface from the same CLI.

1. rig env status secrets-manager2. rig send vault-specialist@secrets-manager ... --verify
workflow pair showing environment status followed by a send command to the vault specialist
CLI proof
1. Confirm Vault is healthy

For service-backed rigs, `rig env status` is the honest health surface.

rig env status output showing the secrets-manager environment is healthy
CLI proof
2. Verify task delivery

Dispatch work to the specialist and confirm that the message reached the agent.

rig send vault-specialist verify output showing a verified task dispatch to the vault specialist agent
CLI proof
3. The specialist performs the work

The agent interacts with Vault in a normal terminal session and reports the result directly.

terminal output from the vault specialist agent confirming the requested vault secret
CLI proof
4. The human verifies in the Vault UI

The final proof is the managed application's own interface, not a claim in marketing copy.

Vault UI showing the secret that the specialist agent worked with

Why This Example Matters

Service-backed

This is not just a fleet of coding sessions. The rig also manages a real application environment.

Operator-visible

Environment health, task dispatch, and the resulting app state are all inspectable surfaces.

Small but real

One node and one service is enough to show the agent-managed software pattern without hiding behind abstraction.