spiffe — workload identity (SPIFFE / SPIRE)
SPIFFE workload identity — X.509-SVID, JWT-SVID, trust bundles, and the SPIRE workload API client.
secrets — Vault / cloud secret stores
Unified SecretStore protocol with AWS Secrets Manager, GCP Secret Manager, and HashiCorp Vault backends.
labels — information-flow control
Labelled data, the flows-to lattice, and information-flow tracking enforced by the type system.
regions — Tofte-Talpin region calculus
User-facing surface for Verum's region-calculus analysis — model and reason about region-typed values, lifetime environments, and escape checks.
capabilities — @cap, declassification, audit
Capability annotations, declassification primitives, and the build-manifest audit trail for security-sensitive operations.