Skip to content

AliProgrammin/agentic-vault

BranchesTags

Repository files navigation

Agentic Vault

MCP server that lets AI agents call APIs without ever seeing the credentials.

license: AGPL-3.0 commercial license available Node 20+

Secrets live in a local encrypted vault. The server substitutes them at call time into outbound HTTP requests or subprocess environment variables, under a per-secret allowlist policy. The model only ever sees secret names, never values.

Homepage: https://agenticvault.madhoob.dev

Why

Letting an AI agent make authenticated calls usually means giving it the raw API key. That breaks least-privilege, pollutes transcripts and logs, and means one jailbreak or prompt-injection is enough to exfiltrate the token.

Agentic Vault splits the two: the agent picks a secret by name and a destination; the vault checks the policy and injects the value. The plaintext never crosses the tool boundary.

Install

npm install -g secretproxy
secretproxy init                # creates the global vault, stores master password in the OS keychain
secretproxy add OPENROUTER_API_KEY sk-or-...
secretproxy policy set OPENROUTER_API_KEY --host openrouter.ai
secretproxy run                 # start the MCP server over stdio

Then point any MCP client (Claude Code, Cursor, Cline, Codex, Zed) at secretproxy run.

Tools exposed over MCP

Tool Purpose
list_secrets Enumerate available secret names (no values)
http_request Make an HTTP call with a secret injected into headers, query, or body
run_command Run a subprocess with secrets injected as env vars
scan_env_requirement Detect what env vars a project expects and match them to stored secrets

Features

  • Zero-plaintext injection — values substituted inside the vault, never in the model context
  • Per-secret policy — allow-lists for HTTP hosts, commands, env vars; deny by default; optional wildcards (strict mode rejects them)
  • AES-256-GCM vault with argon2id key derivation
  • Encrypted audit trail — every call logged with policy decision, surface, outcome
  • Scoped vaults — global defaults + per-project overrides
  • OS-native password storage — macOS Keychain, libsecret, Windows Credential Manager
  • Interactive TUI (secretproxy tui) and local-only web UI (secretproxy ui)
  • Rate limiting with token buckets
  • Zero telemetry — no outbound calls, local-only by design

Development

npm install
npm test            # 328 tests across 45 files
npm run build
npm run typecheck

Architecture primer: src/vault/ owns encryption, src/mcp/ owns the MCP tool surface, src/policy/ owns allowlist enforcement, src/audit/ owns the append-only log.

License

AGPL-3.0-or-later for open-source use — see LICENSE.

If your use case is incompatible with AGPL's network-copyleft clause (embedding in a proprietary product, offering as a managed service without source disclosure, etc.), a commercial license is available — see COMMERCIAL-LICENSE.md.

Contact: haaamcar@gmail.com

About

Open-source MCP server that lets AI agents call APIs without ever seeing the credentials. Policy-enforced secret injection into HTTP calls and subprocesses, with encrypted audit trail.

agenticvault.madhoob.dev

Topics

nodejs security typescript mcp secrets ai-agents claude secrets-management ai-security anthropic mcp-server

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 — initial open-source release Latest
Apr 23, 2026

Packages

 
 
 

Contributors

Languages