Verified Capabilities
Operational guarantees backed by implementation. All features verified in CLI source code.
Operational Guarantees
Zero Disk Persistence
Secrets never written to host filesystem. No plaintext traces on disk.
Health Validation
New container must pass health checks before traffic swap. Configurable timeout.
Automatic Rollback
If health check fails, restore previous container instantly. Zero downtime.
Zero Downtime
Traffic swaps safely. No connections dropped. Atomic container rename.
Atomic Swap
Old container renamed to backup, new becomes active. No partial states.
Crash Recovery
Agent restart from clean state. In-memory cache persists until container stops.
Implementation-Backed Features
Runtime
Operational capabilities
Zero-Downtime Rotation
Atomic container swap. No connection drops.
Health Validation
Configurable health checks before traffic switch.
Automatic Rollback
Failed rotation restores previous container instantly.
Multi-Container Support
Rotate multiple containers in parallel.
Security
Protection mechanisms
Zero Disk Persistence
Secrets never touch filesystem. Memory-only flow.
Atomic Injection
TAR streamed to tmpfs. All-or-nothing guarantee.
Instant Cleanup
Old container secrets purged immediately on rotation.
Encryption at Rest
Local vault encrypted. Supports provider encryption.
Providers
Verified integrations
AWS Secrets Manager
IAM Instance Profile auth. No credentials needed.
Azure Key Vault
Managed Identity auth. Enterprise-ready.
HashiCorp Vault
AppRole or token auth. Self-hosted or Cloud.
Local Encrypted Vault
Zero-dependency option for development/offline.
No Marketing Claims
Every feature listed above is verified in the DSO CLI source code. No vaporware. No unimplemented features. Everything shown is production-ready and tested.