Safety is a product principle.
Security is not compliance language. It is part of the developer experience. If developers trust the platform with their provider keys, traffic, and logs, the product has to earn that trust early.
Current posture.
Principles we follow.
Minimize exposure
Store as little sensitive material as possible in plaintext.
Validate early
Reject invalid requests before they hit upstream providers.
Scope access tightly
Ensure users only access their own credentials and data.
Keep logs useful, not risky
Logs should help diagnose issues without creating a second secrets store.
Make control explicit
Model access, key access, and provider access should be visible and manageable.
Why the language matters.
Recent incidents in the LLM tooling ecosystem showed how a compromised dependency can silently exfiltrate credentials from every downstream user — SSH keys, cloud credentials, API tokens — on import, before any code runs.
Valymux is written in Rust: compiled, statically linked, with no dynamic import hooks and no package manager running at runtime. There is no equivalent attack surface. You can audit the source, inspect the binary, and run it inside your own infrastructure with no external calls.
Built-in trust signals.
Coming next.
“Not just fast. Not just flexible. Safe enough to trust with real workloads.”
Join Waitlist