Fix Docker build

Author: Symbiont OSS Sync

.github/workflows/docker-build.yml

@@ -8,26 +8,26 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: thirdkeyai/symbiont-sdk-python
+  IMAGE_NAME: thirdkeyai/symbi
 
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
-    
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
-    
+
     - name: Log in to Container Registry
       uses: docker/login-action@v3
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    
+
     - name: Extract metadata
       id: meta
       uses: docker/metadata-action@v5
@@ -38,7 +38,7 @@ jobs:
           type=ref,event=pr
           type=sha
           type=raw,value=latest,enable={{is_default_branch}}
-    
+
     - name: Build and push Docker image
       uses: docker/build-push-action@v5
       with:

README.md

@@ -91,12 +91,14 @@ symbi/
 ### ✅ Community Features (OSS)
 - **DSL Grammar**: Complete Tree-sitter grammar for agent definitions
 - **Agent Runtime**: Task scheduling, resource management, lifecycle control
-- **Docker Sandboxing**: Basic containerized isolation for agent operations
+- **Tier 1 Sandboxing**: Docker containerized isolation for agent operations
 - **MCP Integration**: Model Context Protocol client for external tools
 - **SchemaPin Security**: Basic cryptographic tool verification 
 - **RAG Engine**: Retrieval-augmented generation with vector search
 - **Context Management**: Persistent agent memory and knowledge storage
 - **Vector Database**: Qdrant integration for semantic search
+- **Basic Secrets Management**: Local encrypted file storage for configurations
+- **Cryptographic CLI**: Tool for encrypting/decrypting secret files
 - **HTTP API**: Optional RESTful interface (feature-gated)
 
 ### 🏢 Enterprise Features (License Required)
@@ -141,13 +143,13 @@ agent analyze_data(input: DataSet) -> Result {
 ## 🔒 Security Model
 
 ### Basic Security (Community)
-- **Docker Isolation**: Containerized agent execution
+- **Tier 1 Isolation**: Docker containerized agent execution
 - **Schema Verification**: Cryptographic tool validation with SchemaPin
 - **Policy Engine**: Basic resource access control
 - **Audit Logging**: Operation tracking and compliance
 
 ### Advanced Security (Enterprise)
-- **Multi-tier Sandboxing**: gVisor/Firecracker for high-risk operations **(Enterprise)**
+- **Enhanced Sandboxing**: gVisor (Tier2) and Firecracker (Tier3) isolation **(Enterprise)**
 - **AI Security Review**: Automated tool analysis and approval **(Enterprise)**
 - **Encrypted Communication**: Secure inter-agent messaging **(Enterprise)**
 - **Comprehensive Audits**: Cryptographic integrity guarantees **(Enterprise)**

crates/runtime/README.md

@@ -19,6 +19,8 @@ The Symbi Agent Runtime System provides a complete infrastructure for executing
 - **SchemaPin Security**: Tool verification with Trust-On-First-Use (TOFU)
 - **AI Tool Review**: Automated security analysis and signing workflow
 - **Policy Engine**: Resource access control with YAML-based policies
+- **Basic Secrets Management**: Local encrypted file storage for secure configurations
+- **Cryptographic CLI**: Tool for encrypting/decrypting secret files locally
 - **Optional HTTP API**: RESTful API interface for external system integration (feature-gated)
 
 ## Architecture
@@ -363,9 +365,56 @@ match decision.decision {
         // Handle other decision types
     }
 }
+### 9. Basic Secrets Management
+
+Local encrypted file storage for secure configuration data:
+
+```rust
+use symbi_runtime::secrets::file_backend::*;
+use symbi_runtime::crypto::*;
+
+// Configure encrypted file storage
+let file_config = FileBackendConfig {
+    base_path: "./secrets".to_string(),
+    file_extension: "enc".to_string(),
+    permissions: 0o600,
+};
+
+let crypto = Aes256GcmCrypto::new();
+let key_utils = KeyUtils::new();
+let master_key = key_utils.get_or_create_key()?;
+
+let file_backend = FileBackend::new(file_config, crypto, master_key).await?;
+
+// Store encrypted secret
+let secret = Secret::new("api_key", "secret_value_123")
+    .with_metadata("environment", "development");
+
+file_backend.store_secret("app/api_key", secret).await?;
+
+// Retrieve a secret
+let retrieved = file_backend.get_secret("app/api_key").await?;
+println!("API Key: {}", retrieved.value);
 ```
 
-### 9. Optional HTTP API
+#### CLI Usage
+
+Encrypt and decrypt secret files:
+
+```bash
+# Encrypt a JSON configuration file
+symbiont secrets encrypt --in config.json --out config.json.enc
+
+# Decrypt and view
+symbiont secrets decrypt --in config.json.enc
+
+# Edit encrypted file in-place
+symbiont secrets edit --file config.json.enc
+```
+
+```
+
+### 10. Optional HTTP API
 
 When enabled with the `http-api` feature, the runtime exposes a RESTful API:
 
@@ -426,11 +475,10 @@ cargo build --features http-api
 
 ## Security Features
 
-### Multi-tier Sandboxing
+### Sandboxing
 
-- **Tier1**: Docker containers with resource limits
-- **Tier2**: gVisor for enhanced isolation  
-- **Tier3**: Firecracker microVMs for maximum security
+- **Tier 1 (Docker)**: Container isolation with resource limits and security hardening
+- **Enhanced Isolation**: Additional tiers available in Enterprise edition
 
 ### SchemaPin Cryptographic Security
 
@@ -715,7 +763,13 @@ For issues and questions:
 - [x] Resource access management with policy engine
 - [x] Complete end-to-end security framework
 
-### 🚧 Phase 6: Advanced Intelligence (PLANNED)
+### ✅ Phase 6: Basic Secrets Management (COMPLETED)
+- [x] Encrypted file backend with AES-256-GCM encryption
+- [x] CLI tools for secret encryption/decryption operations
+- [x] Cross-platform file-based secret storage
+- [x] Integration with existing runtime components
+
+### 🚧 Phase 7: Advanced Intelligence (PLANNED)
 - [ ] Multi-modal RAG support (images, audio, structured data)
 - [ ] Cross-agent knowledge synthesis with knowledge graphs
 - [ ] Intelligent context management with adaptive pruning