Credential authority
Resolve has to know who owns the upstream credential before it can honestly route a call. The right key path changes the route, cost, risk, and receipt.
One key, many superpowers does not mean one credential model for every workflow. Start with the governed key for Rhumb-managed capabilities, then bring BYOK or Agent Vault only when the work crosses into your systems.
When: Use when Rhumb can honestly own the upstream provider account and expose the capability as the product.
Agent effect: Fastest path for repeat utility capabilities and low-heroics onboarding.
Watch: Do not use it to hide customer-owned system access behind Rhumb credentials.
When: Use when the workflow touches the operator’s provider account, workspace, or production system.
Agent effect: The agent keeps explicit provider control while Rhumb adds routing, estimates, receipts, and policy checks where supported.
Watch: Credential custody and rotation remain an operator responsibility unless paired with vaulting.
When: Use when credentials should be encrypted, scoped to an agent, and injected at execution time.
Agent effect: Best for agent-native custody and repeat execution where plaintext keys should not be copied into prompts or scripts.
Watch: Still needs clear scopes, revocation, and route-level receipts — vaulting is not authorization by itself.
Operating rules
Use the smallest credential boundary that can do the work safely. Do not introduce provider control, wallet payment, or vault ceremony unless the job actually needs it.