Upstream provider keys are never stored in plaintext in the database. They are envelope-encrypted with AES-256-GCM: a per-record data key/nonce, wrapped by a master key (KEK) supplied via ROLTER_MASTER_KEY (env/file). Pluggable backends (HashiCorp Vault, cloud KMS) are a roadmap item.
In the bootstrap file, prefer api_key_env over inline api_key so secrets stay in the environment, not on disk.
Virtual keys are stored as hashes with a short display prefix; the raw key is shown once at creation.
Secrets are never logged. The gateway redacts auth headers from traces.
Upstream calls use rustls (no OpenSSL). HTTP/2 keep-alive with connection pooling.
Optional per-provider egress proxy (egress_proxy, HTTP/HTTPS/SOCKS5) for networks where providers aren’t directly reachable.
Optional global or per-provider custom CA bundles add private PKI roots to outbound upstream clients while retaining public roots, certificate-chain validation, and hostname verification.
Terminate TLS at the gateway or a fronting proxy/ingress in production.
Outbound requests to upstream providers carry no rolter-identifying marks: no User-Agent, no added X-*/Via headers, no metadata injected into the JSON body, no marks in SSE framing. The only headers sent are functionally required ones — content-type, the provider’s auth header, and anthropic-version for Anthropic.
Responses back to clients likewise gain no rolter-added headers.
This is a tested guarantee: golden wire tests in rolter-proxy capture the raw outbound request head and fail on any unexpected header (see openai_wire_carries_no_rolter_signature).
Tenant isolation: virtual keys are scoped to a project; model allow-lists prevent access to unconfigured models; cache keys are namespaced to avoid cross-tenant cache poisoning.
Abuse: RPM/TPM rate limits and budgets bound spend and load (roadmap enforcement).
AuthZ: control-plane mutations are RBAC-checked and recorded in audit_log.
Supply chain: cargo deny/advisory scanning in CI is a roadmap item.