Agent-Kryptos (Agent Secrets)

Agent-Kryptos is a secure, zero-knowledge secret provisioning system designed to let humans and AI agents exchange sensitive credentials through one coordinating SPS server without exposing plaintext to the LLM or the server.

This repository contains the architecture, implementation plans, and source code for the Secret Provisioning System (SPS), including gateway-level anti-phishing, in-memory-only secret storage, and HPKE (Hybrid Public Key Encryption) encryption.

Table of Contents

• Overview
• Hosted Services
• Architecture
• Directory Structure
• Documentation
• Features
• Getting Started

Overview

When an AI Agent needs a secret to complete a task (e.g., "Deploy my website to AWS"), it should never ask for the secret in plain text over chat, nor should the secret ever be visible to the LLM.

Agent-Kryptos solves this by using SPS as the trust anchor and coordinator. For Human -> Agent flow, the gateway generates a secure, single-use, out-of-band link for the user. The user encrypts the secret in their browser, and only the agent's constrained execution environment can decrypt and hold it in memory. For Agent -> Agent flow, SPS coordinates a pull-based exchange between stable agent identities, enforcing policy, approvals, and one-time retrieval without requiring Kubernetes or a cluster control plane.

Hosted Services

Access the live Agent-Kryptos platform:

• Landing Page: kryptos.atas.tech
• Operator Dashboard: app.atas.tech
• SPS API Server: sps.atas.tech
• Secure Secret Input: secret.atas.tech

Architecture

The system consists of 5 main components:

1. SPS Server: A Fastify backend with Redis-backed storage for handling encrypted payload submission and retrieval. All data has a strict TTL.
2. Operator Dashboard: A Vite + React application providing a persistent human-facing interface for workspace management, audit logging, and agent enrollment.
3. Browser UI: A zero-dependency, static HTML/JS page served to the user. It handles client-side HPKE encryption so the plaintext secret never traverses the network.
4. Agent Skill: A package that gives agents the request_secret tool, handles keypair generation, and securely manages the in-memory SecretStore.
5. Gateway Middleware / Runtime Integration: Intercepts LLM tool calls, replaces them with secure out-of-band links, enforces outbound URL filtering, and can mint or forward SPS-trusted agent tokens for coordinated agent-to-agent exchange.

Directory Structure

agent-kryptos/
├── docs/                 # System architecture, security audits, and test plans
│   ├── architecture/     # Implementation plans and system design docs
│   ├── security/         # Security audit documentation
│   └── testing/          # E2E and component test plans
├── packages/             # Monorepo packages (TypeScript)
│   ├── agent-skill/      # Agent-side secret management skill
│   ├── browser-ui/       # Secure client-side encryption interface
│   ├── dashboard/        # Operator Dashboard (Vite + React SPA)
│   ├── gateway/          # Gateway security middleware
│   ├── openclaw-plugin/  # OpenClaw specific integration
│   └── sps-server/       # Secret Provisioning Service backend
└── scripts/              # Integration tests and E2E demonstration scripts

Documentation

Detailed documentation and planning can be found in the docs/ folder:

• Core Strategy: Implementation Plan | Security Audit | Licensing Proposal
• Roadmap & Phases:
  • Phase 1: Core MVP
  • Phase 2A: Agent to Agent Exchange
  • Phase 2B: Production A2A
  • Phase 3A: Hosted Platform
  • Phase 3B: UI & Operations
• Maintenance: Dashboard Maintainability

Licensing

This repository uses a mixed-license model:

• packages/sps-server and packages/dashboard are licensed under AGPL-3.0-only.
• packages/agent-skill, packages/browser-ui, packages/gateway, and packages/openclaw-plugin are licensed under MIT.

See LICENSES.md for the package licensing matrix and rollout notes.

Features

• Zero-Knowledge Encryption: Secrets are encrypted in the user's browser using HPKE before transmission. The server only sees ciphertext.
• Short-Lived Keys: Agent keypairs and encrypted payloads are ephemeral and strictly TTL-bound.
• Phishing Prevention: Gateway egress filtering redacts unexpected URLs, and requests are protected by cryptographically secure confirmation codes.
• Atomic Single-Use Retrieval: Secrets are retrieved and deleted atomically via Redis Lua scripts, ensuring they can only be read once.
• No LLM Exposure: The LLM orchestration layer never comes in contact with plaintext secrets.
• Single Coordinator Model: One SPS server can coordinate secret exchange across multiple agents and hosts using stable agent IDs and SPS-trusted JWT/JWKS validation.

Auth Modes

• Hosted / local plugin default: Prefer agent API keys. Enrolled agents exchange AGENT_KRYPTOS_API_KEY / SPS_AGENT_API_KEY for short-lived SPS bearer tokens, so plugin users do not need to manage JWKS files.
• Self-hosted / workload identity: Use SPS_AGENT_AUTH_PROVIDERS_JSON to trust external workload JWT issuers via jwks_url or jwks_file.
• Legacy note: SPS_GATEWAY_JWKS_FILE and SPS_GATEWAY_JWKS_URL are no longer direct SPS server config. If you keep a local jwks.json, reference it from SPS_AGENT_AUTH_PROVIDERS_JSON.

Getting Started

(Instructions for local development and deployment to be added as implementation progresses)