Plug-and-socket
The architecture in one line: a central container that holds everything, and a pluggable arm that decides.
A vault is two coupled pieces, and the line between them is the whole architecture.
- The vault primitive (container) is the center. It holds the capital, the risk limits, the NAV, and the rules, and it validates every operation. It is immutable once deployed.
- The plug is the arm. It's your strategy: it decides what to do, but it holds nothing and carries no authority. It can only propose operations, which the container checks before they run.
The container holds and enforces; the plug only decides.
Why they're separate
So your logic can change without disturbing anything a depositor cares about. A strategy has to move as you learn, but the capital, the vault's identity, and its track record should not move with it. Keeping the plug swappable lets the logic evolve while the container stays put. Forcing a brand-new vault on every change would scatter the capital and the history across addresses.
In practice
Two coupled pieces sounds like orchestration work, but you never wire them by hand. When you create a vault in Studio, the container and its plug are deployed and connected for you. Day to day you won't think of them as two things; you just have a working vault.
You'll also rarely swap the plug. There are two reasons to: when your strategy needs a vault permission it hasn't been granted, or when you want to change strategy logic that's fixed on-chain (see Strategy). Both are done from Studio too.