villagesql
diff --git a/‎…ing-reader/r/keyring_no_component.result‎ ‎…ql-keyring/r/keyring_no_component.result‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/r/keyring_no_component.result renamed to mysql-test/suite/villagesql/extension/vsql-keyring/r/keyring_no_component.result
Lines changed: 3 additions & 0 deletions b/‎…ing-reader/r/keyring_no_component.result‎ ‎…ql-keyring/r/keyring_no_component.result‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/r/keyring_no_component.result renamed to mysql-test/suite/villagesql/extension/vsql-keyring/r/keyring_no_component.result
Lines changed: 3 additions & 0 deletions
diff --git a/‎…sql-keyring-reader/r/keyring_read.result‎ ‎…nsion/vsql-keyring/r/keyring_read.result‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/r/keyring_read.result renamed to mysql-test/suite/villagesql/extension/vsql-keyring/r/keyring_read.result
Lines changed: 3 additions & 0 deletions b/‎…sql-keyring-reader/r/keyring_read.result‎ ‎…nsion/vsql-keyring/r/keyring_read.result‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/r/keyring_read.result renamed to mysql-test/suite/villagesql/extension/vsql-keyring/r/keyring_read.result
Lines changed: 3 additions & 0 deletions
diff --git a/‎…yring-reader/t/keyring_no_component.test‎ ‎…vsql-keyring/t/keyring_no_component.test‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/t/keyring_no_component.test renamed to mysql-test/suite/villagesql/extension/vsql-keyring/t/keyring_no_component.test
Lines changed: 4 additions & 0 deletions b/‎…yring-reader/t/keyring_no_component.test‎ ‎…vsql-keyring/t/keyring_no_component.test‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/t/keyring_no_component.test renamed to mysql-test/suite/villagesql/extension/vsql-keyring/t/keyring_no_component.test
Lines changed: 4 additions & 0 deletions
diff --git a/‎…/vsql-keyring-reader/t/keyring_read.test‎ ‎…tension/vsql-keyring/t/keyring_read.test‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/t/keyring_read.test renamed to mysql-test/suite/villagesql/extension/vsql-keyring/t/keyring_read.test
Lines changed: 3 additions & 0 deletions b/‎…/vsql-keyring-reader/t/keyring_read.test‎ ‎…tension/vsql-keyring/t/keyring_read.test‎mysql-test/suite/villagesql/examples/vsql-keyring-reader/t/keyring_read.test renamed to mysql-test/suite/villagesql/extension/vsql-keyring/t/keyring_read.test
Lines changed: 3 additions & 0 deletions
diff --git a/‎villagesql/CMakeLists.txt‎
Lines changed: 0 additions & 26 deletions b/‎villagesql/CMakeLists.txt‎
Lines changed: 0 additions & 26 deletions
diff --git a/‎villagesql/sdk/include/villagesql/abi/preview/keyring.h‎
Lines changed: 72 additions & 0 deletions b/‎villagesql/sdk/include/villagesql/abi/preview/keyring.h‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎villagesql/sdk/include/villagesql/abi/types.h‎
Lines changed: 6 additions & 38 deletions b/‎villagesql/sdk/include/villagesql/abi/types.h‎
Lines changed: 6 additions & 38 deletions
diff --git a/‎villagesql/sdk/include/villagesql/detail/vef_register.h‎
Lines changed: 0 additions & 6 deletions b/‎villagesql/sdk/include/villagesql/detail/vef_register.h‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎villagesql/sdk/include/villagesql/preview/keyring.h‎
Lines changed: 100 additions & 0 deletions b/‎villagesql/sdk/include/villagesql/preview/keyring.h‎
Lines changed: 100 additions & 0 deletions
@@ -1,3 +1,4 @@
+SET PERSIST vsql_allow_preview_extensions = ON;
 # Install extension
 INSTALL EXTENSION vsql_keyring_reader;
 # Read raises error when no keyring component is installed
@@ -23,6 +24,8 @@ vsql_keyring_reader.keyring_read('vsql_test_key', NULL)
 my_secret_value
 # Uninstall extension
 UNINSTALL EXTENSION vsql_keyring_reader;
+SET PERSIST vsql_allow_preview_extensions = OFF;
+RESET PERSIST vsql_allow_preview_extensions;
 # Uninstall keyring component
 # ----------------------------------------------------------------------
 # Teardown
 
@@ -4,6 +4,7 @@
 # Creating manifest file for current MySQL server instance
 # Re-starting mysql server with manifest file
 # ----------------------------------------------------------------------
+SET PERSIST vsql_allow_preview_extensions = ON;
 # Install extension
 INSTALL EXTENSION vsql_keyring_reader;
 # Store a secret in the keyring
@@ -30,6 +31,8 @@ vsql_keyring_reader.keyring_read(NULL, NULL) IS NULL
 1
 # Uninstall extension
 UNINSTALL EXTENSION vsql_keyring_reader;
+SET PERSIST vsql_allow_preview_extensions = OFF;
+RESET PERSIST vsql_allow_preview_extensions;
 # ----------------------------------------------------------------------
 # Teardown
 # Removing manifest file for current MySQL server instance
 
@@ -3,6 +3,8 @@
 
 --source include/have_component_keyring_file.inc
 
+SET PERSIST vsql_allow_preview_extensions = ON;
+
 --echo # Install extension
 INSTALL EXTENSION vsql_keyring_reader;
 
@@ -25,6 +27,8 @@ SELECT vsql_keyring_reader.keyring_read('vsql_test_key', NULL);
 
 --echo # Uninstall extension
 UNINSTALL EXTENSION vsql_keyring_reader;
+SET PERSIST vsql_allow_preview_extensions = OFF;
+RESET PERSIST vsql_allow_preview_extensions;
 
 --echo # Uninstall keyring component
 --source suite/component_keyring_file/inc/teardown_component.inc
@@ -3,6 +3,7 @@
 
 --source include/have_component_keyring_file.inc
 --source suite/component_keyring_file/inc/setup_component.inc
+SET PERSIST vsql_allow_preview_extensions = ON;
 
 --echo # Install extension
 --let $veb_dir = `SELECT @@veb_dir`
@@ -30,5 +31,7 @@ SELECT vsql_keyring_reader.keyring_read(NULL, NULL) IS NULL;
 
 --echo # Uninstall extension
 UNINSTALL EXTENSION vsql_keyring_reader;
+SET PERSIST vsql_allow_preview_extensions = OFF;
+RESET PERSIST vsql_allow_preview_extensions;
 
 --source suite/component_keyring_file/inc/teardown_component.inc
@@ -243,20 +243,6 @@ IF(NOT WITHOUT_SERVER)
     INSTALL_COMMAND ""
   )
 
-  ExternalProject_Add(vsql_keyring_reader_extension
-    SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/examples/vsql-keyring-reader
-    BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}/examples/vsql-keyring-reader-build
-    CMAKE_GENERATOR ${CMAKE_GENERATOR}
-    CMAKE_ARGS
-      "-DCMAKE_PREFIX_PATH=${CMAKE_SOURCE_DIR}"
-      "-DVillageSQLExtensionFramework_INCLUDE_DIR=${SDK_STAGING_DIR}/include-dev"
-      "-DVillageSQL_VEB_INSTALL_DIR=${CMAKE_BINARY_DIR}/lib/veb"
-      "-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}"
-    DEPENDS sdk
-    BUILD_ALWAYS ON
-    INSTALL_COMMAND ""
-  )
-
   add_custom_target(copy_vsql_config_vars_test_veb
     COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_BINARY_DIR}/veb_output_directory
     COMMAND ${CMAKE_COMMAND} -E copy
@@ -321,18 +307,6 @@ IF(NOT WITHOUT_SERVER)
   add_custom_target(range_clamp_test_veb ALL)
   add_dependencies(range_clamp_test_veb copy_vsql_range_clamp_test_veb)
 
-  add_custom_target(copy_vsql_keyring_reader_veb
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_BINARY_DIR}/veb_output_directory
-    COMMAND ${CMAKE_COMMAND} -E copy
-      ${CMAKE_CURRENT_BINARY_DIR}/examples/vsql-keyring-reader-build/vsql_keyring_reader.veb
-      ${CMAKE_BINARY_DIR}/veb_output_directory/
-    DEPENDS vsql_keyring_reader_extension
-    COMMENT "Copying vsql_keyring_reader.veb to veb_output_directory"
-  )
-
-  add_custom_target(keyring_reader_veb ALL)
-  add_dependencies(keyring_reader_veb copy_vsql_keyring_reader_veb)
-
   ExternalProject_Add(vsql_test_only_extension
     SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}/test-extensions/vsql-test-only
     BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}/test-extensions/vsql-test-only-build
 
@@ -0,0 +1,72 @@
+// Copyright (c) 2026 VillageSQL Contributors
+//
+// This program is free software; you can redistribute it and/or
+// modify it under the terms of the GNU General Public License
+// as published by the Free Software Foundation; either version 2
+// of the License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License, version 2.0, for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+#ifndef VILLAGESQL_ABI_PREVIEW_KEYRING_H
+#define VILLAGESQL_ABI_PREVIEW_KEYRING_H
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+// Preview capability: "vsql::keyring"
+//
+// Provides access to the MySQL keyring component. Extensions that require
+// this capability can read and write secrets via the vtable functions below.
+//
+// Capability name: VEF_PREVIEW_KEYRING_NAME
+
+#define VEF_PREVIEW_KEYRING_NAME "vsql::keyring"
+
+typedef enum {
+  VEF_KEYRING_OK = 0,
+  VEF_KEYRING_NOT_FOUND = 1,    // key does not exist
+  VEF_KEYRING_UNAVAILABLE = 2,  // no keyring component is installed
+  VEF_KEYRING_ERROR = 3,        // other error
+} vef_keyring_result_t;
+
+// Read a secret from the MySQL keyring component.
+//   data_id:  identifier for the secret.
+//   auth_id:  owner of the secret, or NULL for internal keys.
+//   buf:      caller-provided buffer to receive the secret bytes.
+//   buf_len:  size of buf in bytes.
+//   out_len:  set to the actual number of bytes written on success.
+typedef vef_keyring_result_t (*vef_read_keyring_fn)(const char *data_id,
+                                                    const char *auth_id,
+                                                    unsigned char *buf,
+                                                    size_t buf_len,
+                                                    size_t *out_len);
+
+// Write a secret to the MySQL keyring component.
+//   data_id:   identifier for the secret.
+//   auth_id:   owner of the secret, or NULL for internal keys.
+//   data:      secret bytes to store.
+//   data_len:  length of data in bytes.
+typedef vef_keyring_result_t (*vef_write_keyring_fn)(const char *data_id,
+                                                     const char *auth_id,
+                                                     const unsigned char *data,
+                                                     size_t data_len);
+
+typedef struct {
+  vef_read_keyring_fn read;
+  vef_write_keyring_fn write;
+} vef_preview_keyring_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  // VILLAGESQL_ABI_PREVIEW_KEYRING_H
@@ -170,9 +170,8 @@ typedef enum : unsigned int {
                    // + Extension system variables (vef_sys_var_desc_t):
                    //   server registers these as MySQL component system
                    //   variables on the extension's behalf.
-                   // + get_variable/set_variable/read_keyring/write_keyring
-                   //   function pointers in vef_register_arg_t: access to
-                   //   MySQL system variables and keyring component.
+                   // + get_variable/set_variable function pointers in
+                   //   vef_register_arg_t: access to MySQL system variables.
                    // + Preview capability system: extensions declare named
                    //   capabilities they require in vef_registration_t;
                    //   the server populates their function pointers before
@@ -230,35 +229,6 @@ typedef bool (*vef_set_variable_fn)(const char *component_name,
                                     const char *name, const char *scope,
                                     const char *val);
 
-typedef enum {
-  VEF_KEYRING_OK = 0,
-  VEF_KEYRING_NOT_FOUND = 1,    // key does not exist
-  VEF_KEYRING_UNAVAILABLE = 2,  // no keyring component is installed
-  VEF_KEYRING_ERROR = 3,        // other error
-} vef_keyring_result_t;
-
-// read_keyring: read a secret from the MySQL keyring component.
-//   data_id:  identifier for the secret.
-//   auth_id:  owner of the secret, or NULL for internal keys.
-//   buf:      caller-provided buffer to receive the secret bytes.
-//   buf_len:  size of buf in bytes.
-//   out_len:  set to the actual number of bytes written on success.
-typedef vef_keyring_result_t (*vef_read_keyring_fn)(const char *data_id,
-                                                    const char *auth_id,
-                                                    unsigned char *buf,
-                                                    size_t buf_len,
-                                                    size_t *out_len);
-
-// write_keyring: write a secret to the MySQL keyring component.
-//   data_id:   identifier for the secret.
-//   auth_id:   owner of the secret, or NULL for internal keys.
-//   data:      secret bytes to store.
-//   data_len:  length of data in bytes.
-typedef vef_keyring_result_t (*vef_write_keyring_fn)(const char *data_id,
-                                                     const char *auth_id,
-                                                     const unsigned char *data,
-                                                     size_t data_len);
-
 typedef struct {
   // protocol >= VEF_PROTOCOL_1
   vef_protocol_t protocol;
@@ -268,14 +238,12 @@ typedef struct {
 
   // protocol >= VEF_PROTOCOL_2
   // TODO(villagesql-beta): How do extension authors opt into requiring these
-  // APIs? An extension that uses get_variable/set_variable/read_keyring/
-  // write_keyring should be able to declare that dependency so the server can
-  // reject loading it with a clear error on older servers that do not provide
-  // these functions (where these pointers would be nullptr).
+  // APIs? An extension that uses get_variable/set_variable should be able to
+  // declare that dependency so the server can reject loading it with a clear
+  // error on older servers that do not provide these functions (where these
+  // pointers would be nullptr).
   vef_get_variable_fn get_variable;
   vef_set_variable_fn set_variable;
-  vef_read_keyring_fn read_keyring;
-  vef_write_keyring_fn write_keyring;
 } vef_register_arg_t;
 
 typedef struct {
 
@@ -38,10 +38,6 @@ namespace sys_var {
 extern vef_get_variable_fn g_get_variable;
 extern vef_set_variable_fn g_set_variable;
 }  // namespace sys_var
-namespace keyring {
-extern vef_read_keyring_fn g_read_keyring;
-extern vef_write_keyring_fn g_write_keyring;
-}  // namespace keyring
 
 // Define materialize_func_desc here so it is available to both old
 // (villagesql::func_builder) and new (vsql::func_builder) API users without
@@ -187,8 +183,6 @@ vef_registration_t *vef_register_impl(vef_registration_t &reg,
     if (arg->protocol >= VEF_PROTOCOL_2) {
       vsql::sys_var::g_get_variable = arg->get_variable;
       vsql::sys_var::g_set_variable = arg->set_variable;
-      vsql::keyring::g_read_keyring = arg->read_keyring;
-      vsql::keyring::g_write_keyring = arg->write_keyring;
     }
   }
 
 
@@ -0,0 +1,100 @@
+// Copyright (c) 2026 VillageSQL Contributors
+//
+// This program is free software; you can redistribute it and/or
+// modify it under the terms of the GNU General Public License
+// as published by the Free Software Foundation; either version 2
+// of the License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+#ifndef VILLAGESQL_PREVIEW_KEYRING_H
+#define VILLAGESQL_PREVIEW_KEYRING_H
+
+#include <string>
+#include <string_view>
+
+#include <villagesql/abi/preview/keyring.h>
+#include <villagesql/detail/capability_hash.h>
+#include <villagesql/vsql/extension_builder.h>
+
+namespace vsql::preview::keyring {
+
+// C++ wrapper around vef_preview_keyring_t.
+//
+// Usage:
+//   static auto g_keyring = vsql::preview::keyring::make_capability();
+//
+//   // In extension code:
+//   auto result = g_keyring.read("my-key", "", value);
+//
+// Register with:
+//   make_extension().with<preview_keyring<g_keyring>>()
+class Capability {
+ public:
+  static constexpr const char *kName = VEF_PREVIEW_KEYRING_NAME;
+
+  // Read a secret from the MySQL keyring component into value.
+  //   auth_id may be empty to read internal keys.
+  //   Returns VEF_KEYRING_OK on success, VEF_KEYRING_NOT_FOUND if the key does
+  //   not exist, VEF_KEYRING_UNAVAILABLE if no keyring component is installed,
+  //   or VEF_KEYRING_ERROR on other failures.
+  vef_keyring_result_t read(std::string_view data_id, std::string_view auth_id,
+                            std::string &value) const {
+    if (abi_.read == nullptr) return VEF_KEYRING_UNAVAILABLE;
+    value.resize(4096);
+    size_t out_len = 0;
+    vef_keyring_result_t result =
+        abi_.read(data_id.data(), auth_id.empty() ? nullptr : auth_id.data(),
+                  reinterpret_cast<unsigned char *>(value.data()), value.size(),
+                  &out_len);
+    if (result == VEF_KEYRING_OK) value.resize(out_len);
+    return result;
+  }
+
+  // Write a secret to the MySQL keyring component.
+  //   auth_id may be empty to store as an internal key.
+  //   Returns VEF_KEYRING_OK on success, VEF_KEYRING_UNAVAILABLE if no keyring
+  //   component is installed, or VEF_KEYRING_ERROR on other failures.
+  vef_keyring_result_t write(std::string_view data_id, std::string_view auth_id,
+                             std::string_view data) const {
+    if (abi_.write == nullptr) return VEF_KEYRING_UNAVAILABLE;
+    return abi_.write(
+        data_id.data(), auth_id.empty() ? nullptr : auth_id.data(),
+        reinterpret_cast<const unsigned char *>(data.data()), data.size());
+  }
+
+  bool available() const { return abi_.read != nullptr; }
+
+  // Public so that cap_receive() can access abi_ via a pointer.
+  // Do not access directly — use read(), write(), and available() instead.
+  vef_preview_keyring_t abi_;
+};
+
+inline Capability make_capability() { return Capability{}; }
+
+}  // namespace vsql::preview::keyring
+
+namespace vsql::preview {
+
+// Traits type for registering the keyring capability via
+// .with<preview_keyring<cap>>. Only available when this header is included.
+template <auto &cap>
+struct preview_keyring {
+  template <typename Inner>
+  static constexpr auto bind(Inner builder) {
+    using Cap = keyring::Capability;
+    return builder.required_capability(
+        {Cap::kName, &::vsql::cap_receive<Cap, &cap>,
+         ::villagesql::detail::abi_type_hash<decltype(cap.abi_)>()});
+  }
+};
+
+}  // namespace vsql::preview
+
+#endif  // VILLAGESQL_PREVIEW_KEYRING_H