Add it once
A hidden prompt takes the value. It's encrypted and never written to disk in plaintext.
$ av add GITHUB_TOKEN agentvault
macOS · v1
GitHub
macOS secret broker · for AI coding agents
Agents run real commands with real credentials.
They never see the secret.
AgentVault injects your tokens into the command and masks them in the output at the source. The work happens; the secret never enters the model's context, your transcript, or any log.
brew install bshk-app/tap/agentvault macOS only (v1) · requires Homebrew
$ av run -- npm whoami
beshkenadze ✓ authenticated
NPM_TOKEN = npm_R8xKd2Lp9Qv0mB4nW7zJ6cF1aE3sT5uH8gY
real value, the actual credential
Same command, two views. Your agent only ever receives the masked form.
the problem
The moment a secret is in reach,
it's everywhere it shouldn't be.
AI agents need your keys to do real work: publish a package, call an API, deploy. But hand an agent a plaintext token and it does not stay where you put it. It bleeds into everything the model touches.
Model context it's in the prompt now
Chat transcript saved, synced, shared
Tool logs stdout, stderr, traces
Error messages echoed back verbatim
Screenshots captured into context
Crash reports shipped off-machine
agent-error.log
POST /v1/charges -> 401 Unauthorized
request used: Authorization: Bearer sk_live_4eC39HqLyjWDarjtT1zdp7dc
-> now logged, transcribed, and in the model's context window.Today you either hand the agent plaintext keys and lose control of them, or you do everything by hand. AgentVault is the third option.
how it works
Three commands. The secret stays home.
Name it in your project
Point to it from agentvault.yaml or your .env. You store references, never values.
GITHUB_TOKEN=av://github_token Run anything through it
The command gets the real value. You and the agent see only the masked token.
$ av run -- your-command
-> agent sees {{AV:GITHUB_TOKEN}} the proof
It actually authenticated.
The token never surfaced.
A live run: an agent executed npm whoami through AgentVault. npm logged in as the real
account. The agent's transcript shows only the masked token.
real execution · inside the command
$ av run -- npm whoami
-> resolving av://npm_token · injecting into env
NPM_TOKEN=npm_R8xKd2Lp9Qv0mB4n...
beshkenadze ✓
agent transcript · what the model reads
$ av run -- npm whoami
-> resolving av://npm_token · injecting into env
NPM_TOKEN={{AV:NPM_TOKEN}}
beshkenadze ✓
Identical command, identical success; the credential's value is the only thing that differs between the two columns.
Process gets real credentials. Agent sees placeholders.
features
Built for how you actually work.
Inject in, mask out
Run any command with secrets injected and the output auto-masked. Works with your existing .env; it just stores references instead of plaintext.
Works with any agent
Drops in hooks and a skill for Claude Code, with a generic adapter for everything else. Redaction becomes automatic, without per-prompt discipline.
Multiple backends
A local encrypted vault, the macOS Keychain, or 1Password all use the same av:// reference. Switch without touching your project.
One-command install
One Homebrew formula installs the av client and the avd daemon. Nothing to configure before your first av add.
trust
Security you can reason about.
Including its limits.
Broker, not store
The agent never holds the secret. It asks the daemon to run a command; the real value is injected for that process and gone when it exits.
Two independent nets
Values are masked at the source. A second scrub pass, powered by gitleaks, catches derived or leaked secrets in anything the agent reads back.
Touch ID + Secure Enclave
The vault key is gated by your fingerprint and protected by Apple hardware. It lives only in locked memory and is wiped on lock or sleep.
Honest about scope
Built for the cooperative-agent case: keeping secrets out of an agent's context and logs. It does not defend against a malicious local attacker with code execution on your machine. Security tools that overclaim lose trust, so we say so.
install
Up and running in under a minute.
$
brew install bshk-app/tap/agentvault macOS only (v1) · requires Homebrew
$ av add NPM_TOKEN $ av run -- npm whoami $ brew install bshk-app/tap/agentvault
==> installed av, avd
$ av add NPM_TOKEN
Touch ID ✓ stored; never written to disk in plaintext
$ av run -- npm whoami
beshkenadze ✓
try it
See exactly what the agent sees.
Pick a command, run it, and toggle between what actually executed and what lands in the agent's transcript.
av run --
Press Run to execute the command through AgentVault.
Simulated for the demo, but this is exactly the redaction av run performs on real output.