LocalAPI Hub

Local-first AI command center for agentic developer workspaces

English | 中文 | Roadmap | Development Plan

LocalAPI Hub is a local-first control plane for AI agents, connectors, keys, skills, and usage.

It is designed for developers and teams who run multiple local AI tools and need one trustworthy place to answer:

• What agents are active?
• What keys and providers are they using?
• What skills and automations are installed?
• What is trusted, risky, expensive, or misconfigured?

Instead of treating these as separate utilities, LocalAPI Hub turns them into one workspace graph.

Why This Project

Modern AI workflows are fragmented:

• keys are scattered across .env files, shell profiles, and CLI config directories
• usage is split between tools like OpenClaw, Claude, and Codex
• skills and automations accumulate without inventory or governance
• security posture usually breaks down before teams notice

Most existing products focus on hosted tracing, AI gateways, or vendor-specific agent surfaces.

LocalAPI Hub focuses on the machine where agents actually run.

What LocalAPI Hub Manages

• Keys Discover local API keys, track where they come from, encrypt stored secrets, and run health checks.
• Connectors Detect local AI clients and gateways such as OpenClaw, Claude, and Codex.
• Usage Read local usage signals, routing state, provider activity, and estimated cost.
• Skills Inventory local skills, duplicate installs, automation hints, and risk labels.
• Security Add admin gates, local encrypted secret storage, and sops + age project configuration.

Current Product Direction

The strongest version of this project is not:

• only an API key scanner
• only a local observability toy
• only another dashboard

The strongest version is:

the local-first control plane for agentic developer workspaces

This is the wedge:

• local-first
• multi-agent
• privacy-aware
• governance-ready
• open source

Current Capabilities

• scans common local config files and env files for API keys
• encrypts runtime-discovered secrets before storing them locally
• gates sensitive actions behind LOCALAPI_HUB_ADMIN_TOKEN
• reads OpenClaw session logs and auth profiles
• detects Claude and Codex local usage signals
• inventories local skill roots and flags risky automation patterns
• adds a cross-agent Control Plane view across keys, connectors, skills, and usage
• adds a metadata-first Session Inbox across local connectors
• adds incident visibility for stale connectors, risky sessions, and provider coverage gaps
• adds burn-rate summaries from local session metadata
• adds a Governance layer with policy evaluation, findings, and recommended actions
• adds OpenClaw Control for safe local routing updates with admin gating and automatic backups
• adds OpenClaw config validation hints and backup-snapshot rollback
• adds rollout preview and explicit apply confirmation before OpenClaw writes
• supports screenshot-safe Privacy Mode for demos and public sharing
• supports project-level config through sops + age

Security Model

Security is a product feature, not an afterthought.

• Runtime-discovered secrets are encrypted before being written to SQLite.
• Sensitive local actions require LOCALAPI_HUB_ADMIN_TOKEN.
• Project-level config can be encrypted with sops + age.
• Plain local config and decrypted secret files are ignored by Git by default.
• The UI is designed to show masked key fingerprints and ~-relative paths instead of raw secret values.

Quick Start

Install

npm install

Run

npm run dev

Open http://localhost:3000.

Build

npm run build
npm start

Environment Variables

Copy .env.example to .env and configure what you need:

DATABASE_URL="data/localapi-hub.db"
LOCALAPI_HUB_MASTER_KEY=""
LOCALAPI_HUB_ADMIN_TOKEN=""
SOPS_AGE_KEY_FILE=""
NEXT_PUBLIC_APP_URL="http://localhost:3000"

Notes:

• LOCALAPI_HUB_MASTER_KEY is optional. If omitted, LocalAPI Hub creates a local key file under data/.
• LOCALAPI_HUB_ADMIN_TOKEN should be set before running scan, export, import, decrypt, or other sensitive actions.
• SOPS_AGE_KEY_FILE is optional if your default key already lives at ~/.config/sops/age/keys.txt.

Project Config With SOPS

LocalAPI Hub resolves project config in this order:

1. secrets/config.enc.json via sops + age
2. config.json
3. built-in defaults

Recommended workflow:

cp .sops.example.yaml .sops.yaml
# replace the example recipient with your own age public key
cp config.example.json secrets/config.dec.json
# edit secrets/config.dec.json locally
./scripts/encrypt_config.sh
rm -f secrets/config.dec.json

To inspect an encrypted config locally:

./scripts/decrypt_config.sh

Files intentionally kept out of Git:

• config.json
• secrets/config.dec.json
• secrets/*.json
• .sops.yaml

Default Data Sources

Keys

• shell profiles
• .env files
• common AI client config files
• cloud and development tooling config files

Connectors

• ~/.openclaw
• ~/.claude
• ~/.codex

Skills

• ~/.agents/skills
• ~/.codex/skills

These roots can be overridden in project config.

Typical Workflows

Inventory local AI assets

• run a scan
• review discovered keys
• inspect where they came from
• inspect connector and skill coverage

Audit OpenClaw behavior

• inspect routing
• compare configured providers against actual usage
• identify active auth profiles
• review local cost estimates

Review skill risk

• find duplicate installs
• highlight skills that run scripts or browser automation
• flag destructive or external publishing behavior

Run the control plane

• open the Control Plane page
• inspect provider coverage across keys, connectors, skills, and usage
• identify where you have inventory but no activity, or activity but weak governance
• use Privacy Mode before screenshots, demos, or public issue reports

Review governance posture

• open the Governance page
• review failing and warning policies
• triage high-risk sessions, stale connectors, and provider coverage gaps
• follow recommended actions before rolling into stronger control features

Safely update OpenClaw routing

• open the OpenClaw Control page
• review the current primary model, route, fallback model, and strategy
• check validation hints before saving
• preview the rollout to inspect exact field-level changes
• save changes through the admin-gated control surface
• explicitly confirm before apply
• rely on automatic backups before each write
• restore a prior backup snapshot if a routing change needs to be rolled back

Prepare a repo for open-source sharing

• move machine-specific config into sops
• keep repo-safe defaults in Git
• avoid committing plaintext local config

Privacy Posture

This project is intentionally local-first.

• Core inventory and usage features do not require a hosted backend.
• Local source paths are normalized to ~ where possible.
• The repo is structured to avoid tracking user-specific config and decrypted secret files.

Roadmap

See ROADMAP.md for the product thesis and staged build-out plan. See DEVELOPMENT_PLAN.md for the version-by-version release plan and engineering principles.

Near-term priorities:

1. stronger key x connector x usage x skill correlation
2. stronger provider and connector control actions
3. intervention-ready session and connector warnings
4. OpenClaw configuration management
5. safer rollout and approval-aware control actions

Commercial Open Source Direction

The long-term target is commercial open source:

• useful for solo developers on day one
• governance-friendly for teams later
• safe enough by default to share publicly
• extensible enough to support premium connectors and workflows in the future

Contributing

Issues and pull requests are welcome.

When opening an issue, include:

• your OS version
• which local AI clients you use
• whether you use sops
• whether the issue is about scanning, usage, connectors, skills, or security

License

MIT