Zero-knowledge secret injection for AI agents. No read commands. No plaintext. Secrets flow through pipes, not prompts.
$ go install github.com/octokraft/agent-vault/cmd/agent-vault@latest
Traditional secrets managers assume a human operator. Agent Vault assumes a machine -- and treats it as untrusted by default.
There is no get or read command. Secrets can only be injected into processes -- never retrieved as plaintext.
Secrets flow through Unix pipes and environment variables. They never appear in shell history, agent context windows, or log files.
Secrets are encrypted at rest using AES-256-GCM with Argon2id key derivation. Industry-standard cryptography, zero shortcuts.
Blocks shells, interpreters, and exfiltration commands by default. Per-secret command allowlists. Argument inspection catches -c and --eval flags.
The human sets the vault passphrase. The agent uses the CLI. Secrets are injected into commands without the agent ever holding them.
12 commands: exec, pipe, import, rekey, verify, TTL expiry, and more. Works the Unix way.
The vault sits between the human operator, the AI agent, and the target command. The agent orchestrates; it never holds secrets.
The human initializes and stores secrets. The agent injects them into commands. Four commands to learn, zero plaintext exposure.
# Initialize a new vault (creates ~/.agent-vault/) $ agent-vault init # Enter passphrase when prompted -- this is the only secret the human types # Store secrets (values are prompted, never passed as arguments) $ agent-vault set db-password # Enter secret value: ******** $ agent-vault set api-key # Enter secret value: ******** $ agent-vault set github-token # Enter secret value: ********
# Inject secrets as environment variables into any command $ agent-vault exec --env DB_PASS=db-password -- psql -U admin mydb # Multiple secrets in one command $ agent-vault exec \ --env AWS_ACCESS_KEY_ID=aws-key \ --env AWS_SECRET_ACCESS_KEY=aws-secret \ -- aws s3 ls # The command receives the secret; the agent never sees it # The secret is not in shell history, env, or agent context
# Pipe a secret into a command's stdin $ agent-vault pipe github-token -- gh auth login --with-token # Works with any command that reads from stdin $ agent-vault pipe docker-password -- docker login -u user --password-stdin # The secret flows: vault -> pipe -> command # It never touches the agent's memory or context window
# List stored secret names (never values) $ agent-vault list db-password api-key github-token # Check vault status $ agent-vault status Vault: ~/.agent-vault/vault.enc Secrets: 3 Cipher: AES-256-GCM KDF: Argon2id Created: 2026-03-19T10:30:00Z
Every design decision serves one goal: secrets must be impossible to exfiltrate through the agent.
The CLI has no get, read, or show command. There is no code path that outputs a secret as plaintext. This is not a configuration option -- the capability does not exist.
The policy engine blocks shells (bash, zsh, sh), interpreters (python, node, ruby), and exfiltration commands (cat, echo, curl) by default. Argument inspection catches -c and --eval flags.
AES-256-GCM with Argon2id key derivation. Atomic write-then-rename prevents vault corruption on crash. Exclusive file locking prevents concurrent access. Memory is zeroed after use.
Secrets are injected via env vars or stdin pipes — never written to disk or CLI args. All AGENT_VAULT_* env vars are scrubbed from child processes so the passphrase itself cannot leak.
Secrets support time-to-live via --ttl. Expired secrets are rejected at injection time. The verify command reports vault health and expired entries.
Requires Go 1.21 or later. Single binary, zero runtime dependencies.
# Install the binary $ go install github.com/octokraft/agent-vault/cmd/agent-vault@latest # Initialize your vault $ agent-vault init # Store your first secret $ agent-vault set my-secret # Use it $ agent-vault exec --env SECRET=my-secret -- ./my-app
go install command
init + set
exec and pipe