agentsecure 0.1.6__tar.gz → 0.1.7__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {agentsecure-0.1.6/agentsecure.egg-info → agentsecure-0.1.7}/PKG-INFO +57 -7
- {agentsecure-0.1.6 → agentsecure-0.1.7}/README.md +56 -6
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/__init__.py +1 -1
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/main.py +269 -11
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/config.py +32 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/container.py +35 -8
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/models.py +30 -0
- agentsecure-0.1.7/agentsecure/core/runtime_bindings.py +67 -0
- agentsecure-0.1.7/agentsecure/core/secret_aliases.py +418 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/gateway/proxy.py +26 -5
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/guard/sanitizer.py +7 -3
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/encrypted_secret_store.py +8 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/grant_store.py +21 -1
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/secret_store_factory.py +14 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/secrets.py +88 -3
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/interfaces/key_store.py +2 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/interfaces/secrets.py +1 -2
- {agentsecure-0.1.6 → agentsecure-0.1.7/agentsecure.egg-info}/PKG-INFO +57 -7
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure.egg-info/SOURCES.txt +3 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/setup.cfg +1 -1
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_cli.py +30 -1
- agentsecure-0.1.7/tests/test_secret_aliases.py +95 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/LICENSE +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/NOTICE +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/__main__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/api/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/api/server.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/api/services.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/common.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/demo.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/policy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/project.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/proxy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/receipts.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/secrets.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cli/settings.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/client/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/client/wrappers.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/cloud.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/config/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/config/default_agentsecure.json +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/agentsecure_md.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/capabilities.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/command_metadata.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/config_profiles.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/key_service.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/policy_mutation.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/policy_ports.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/policy_response.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/policy_validation.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/product.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/provider_proxy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/core/time.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/crypto/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/crypto/cipher.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/crypto/key_provider.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/daemon/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/daemon/commands.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/daemon/policies.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/daemon/sessions.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/daemon/supervisor.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/discovery/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/discovery/dotenv_scanner.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/discovery/env_scanner.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/discovery/patterns.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/discovery/scanner.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/discovery/suggestions.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/gateway/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/guard/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/guard/command.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/guard/network.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/guard/wrappers.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/audit.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/local_secret_store.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/implementations/policy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/interfaces/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/interfaces/audit.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/interfaces/grants.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/interfaces/policy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/workspace/__init__.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/workspace/apply.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/workspace/diff.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/workspace/materializer.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/workspace/rewriter.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure/workspace/strategies.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure.egg-info/dependency_links.txt +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure.egg-info/entry_points.txt +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/agentsecure.egg-info/top_level.txt +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/pyproject.toml +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/setup.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_agentsecure_md.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_audit.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_cli_demo.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_cli_policy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_cli_proxy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_config_validation.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_diff.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_discovery.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_encrypted_secret_store.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_env_policy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_env_policy_contract.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_gateway_credentials.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_guard.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_guard_network.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_key_service.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_policy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_policy_mutation.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_product.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_provider_proxy.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_secret_scan.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_secrets.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_version.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_workspace.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_workspace_apply.py +0 -0
- {agentsecure-0.1.6 → agentsecure-0.1.7}/tests/test_wrappers.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: agentsecure
|
|
3
|
-
Version: 0.1.
|
|
3
|
+
Version: 0.1.7
|
|
4
4
|
Summary: Local-first security runtime for AI coding agents
|
|
5
5
|
Home-page: https://github.com/ShellFrameAI/agentsecure-community
|
|
6
6
|
Author: ShellFrame AI
|
|
@@ -34,7 +34,7 @@ Dynamic: license-file
|
|
|
34
34
|
|
|
35
35
|
AI coding agents run where developer secrets already live: `.env` files, shell environments, MCP configs, local credentials, and project settings. GitGuardian's 2026 State of Secrets Sprawl report found [28.65 million new hardcoded secrets in public GitHub commits in 2025](https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/) and [24,008 unique secrets in MCP-related configuration files, including 2,117 valid credentials](https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/). Reported testing has also shown agent tools reading `.env` files despite ignore-file expectations; [The Register reproduced Claude Code reading `.env` with `.claudeignore` and `.gitignore` entries present](https://www.theregister.com/2026/01/28/claude_code_ai_secrets_files/), while [Anthropic's current docs recommend explicit file-access deny rules for sensitive files](https://code.claude.com/docs/en/configuration).
|
|
36
36
|
|
|
37
|
-
AgentSecure Community is a local-first CLI for AI coding-agent workflows. It demonstrates a simple idea: ignore files are not a secret boundary, so the agent should
|
|
37
|
+
AgentSecure Community is a local-first CLI for AI coding-agent workflows. It demonstrates a simple idea: ignore files are not a secret boundary, so real secrets should live in AgentSecure's local vault, projects should reference aliases, and the agent should receive temporary virtual tokens instead of raw `.env` values.
|
|
38
38
|
|
|
39
39
|
The community release is intentionally scoped to local CLI, local command guard, basic policy config, local secret virtualization, and tests. Hosted cloud sync, enterprise policy management, billing/licensing, and sensitive commercial detection logic are not part of this release.
|
|
40
40
|
|
|
@@ -72,6 +72,31 @@ Then run your agent:
|
|
|
72
72
|
python3 -m agentsecure run claude
|
|
73
73
|
```
|
|
74
74
|
|
|
75
|
+
## Where Secrets Go
|
|
76
|
+
|
|
77
|
+
Keep real secrets in one local AgentSecure vault:
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
printf '%s' "$DATABASE_URL" | agentsecure secrets add dev_db \
|
|
81
|
+
--env-name DATABASE_URL \
|
|
82
|
+
--provider database \
|
|
83
|
+
--approved-host db.example.com \
|
|
84
|
+
--real-secret-stdin
|
|
85
|
+
|
|
86
|
+
agentsecure secrets use dev_db
|
|
87
|
+
agentsecure run -- claude
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
What this does:
|
|
91
|
+
|
|
92
|
+
- The real value is stored locally under `~/.agentsecure/vault/`.
|
|
93
|
+
- `agentsecure.json` stores only alias metadata such as `dev_db`, `DATABASE_URL`, provider, and approved hosts.
|
|
94
|
+
- At run time, AgentSecure creates a short-lived fake token such as `virt_database_...`.
|
|
95
|
+
- The gateway swaps that fake token for the real secret only for the approved host.
|
|
96
|
+
- The fake token is revoked after the run.
|
|
97
|
+
|
|
98
|
+
Do not put real secrets in project `.env` files. Use `.env` for non-secret config or fake placeholders that are safe for an agent to read.
|
|
99
|
+
|
|
75
100
|
## What The Demo Shows
|
|
76
101
|
|
|
77
102
|
The built-in demo creates a temporary local project with fake secrets, applies a small sample policy, simulates a command reading `.env`, and prints what the agent would see:
|
|
@@ -105,12 +130,12 @@ This creates `agentsecure.json`, local private state under `.agentsecure/`, and
|
|
|
105
130
|
agentsecure policy validate
|
|
106
131
|
```
|
|
107
132
|
|
|
108
|
-
Create a fake `.env` for testing:
|
|
133
|
+
Create a fake `.env` for testing. This file must not contain real credentials:
|
|
109
134
|
|
|
110
135
|
```bash
|
|
111
136
|
cat > .env <<'EOF'
|
|
112
|
-
OPENAI_API_KEY=
|
|
113
|
-
DATABASE_URL_PROD=postgres://
|
|
137
|
+
OPENAI_API_KEY=fake-openai-key-for-demo-only
|
|
138
|
+
DATABASE_URL_PROD=postgres://fake:fake-password@example.invalid/app
|
|
114
139
|
EOF
|
|
115
140
|
```
|
|
116
141
|
|
|
@@ -120,13 +145,25 @@ Discover likely secrets:
|
|
|
120
145
|
agentsecure discover
|
|
121
146
|
```
|
|
122
147
|
|
|
148
|
+
For real credentials, use the vault/alias flow:
|
|
149
|
+
|
|
150
|
+
```bash
|
|
151
|
+
printf '%s' "$OPENAI_API_KEY" | agentsecure secrets add openai_dev \
|
|
152
|
+
--env-name OPENAI_API_KEY \
|
|
153
|
+
--provider openai \
|
|
154
|
+
--approved-host api.openai.com \
|
|
155
|
+
--real-secret-stdin
|
|
156
|
+
|
|
157
|
+
agentsecure secrets use openai_dev
|
|
158
|
+
```
|
|
159
|
+
|
|
123
160
|
Run a command through the local guard:
|
|
124
161
|
|
|
125
162
|
```bash
|
|
126
163
|
agentsecure run --protect-all -- python3 -c 'import subprocess; print(subprocess.check_output(["cat", ".env"]).decode())'
|
|
127
164
|
```
|
|
128
165
|
|
|
129
|
-
By default, `--protect-all` virtualizes discovered secrets. The command output should contain `virt_...` tokens instead of
|
|
166
|
+
By default, `--protect-all` virtualizes discovered values. Prefer the `agentsecure secrets add/use` flow above for real secrets because it keeps real values out of project files entirely. The command output should contain `virt_...` tokens instead of real values. The real `.env`, if you still have one, remains local and unchanged.
|
|
130
167
|
|
|
131
168
|
Denied values are removed only when policy sets `mode: "deny"` for that environment variable. The built-in `agentsecure demo` includes that policy for `DATABASE_URL_PROD` so you can see both behaviors: virtualize and deny.
|
|
132
169
|
|
|
@@ -179,7 +216,8 @@ Provider proxy mode is local-only. It is not a system-wide proxy, not TLS MITM,
|
|
|
179
216
|
## What It Demonstrates
|
|
180
217
|
|
|
181
218
|
- Discover likely secrets in `.env` files and environment variables.
|
|
182
|
-
- Store real
|
|
219
|
+
- Store reusable real secrets locally under `~/.agentsecure/vault/`.
|
|
220
|
+
- Store project assignments as alias metadata in `agentsecure.json`.
|
|
183
221
|
- Expose virtual values such as `OPENAI_API_KEY=virt_openai_...`.
|
|
184
222
|
- Sanitize common `.env` reads through command-guard mode.
|
|
185
223
|
- Remove denied env values from agent-visible output.
|
|
@@ -195,6 +233,15 @@ Minimal policy shape:
|
|
|
195
233
|
|
|
196
234
|
```json
|
|
197
235
|
{
|
|
236
|
+
"secret_aliases": [
|
|
237
|
+
{
|
|
238
|
+
"alias_id": "openai_dev",
|
|
239
|
+
"env_name": "OPENAI_API_KEY",
|
|
240
|
+
"provider": "openai",
|
|
241
|
+
"approved_hosts": ["api.openai.com"],
|
|
242
|
+
"mode": "virtualize"
|
|
243
|
+
}
|
|
244
|
+
],
|
|
198
245
|
"env_policy": {
|
|
199
246
|
"OPENAI_API_KEY": {
|
|
200
247
|
"mode": "virtualize",
|
|
@@ -224,6 +271,9 @@ agentsecure doctor
|
|
|
224
271
|
agentsecure discover
|
|
225
272
|
agentsecure suggest
|
|
226
273
|
agentsecure env
|
|
274
|
+
agentsecure secrets add dev_db --env-name DATABASE_URL --provider database --approved-host db.example.com --real-secret-stdin
|
|
275
|
+
agentsecure secrets use dev_db
|
|
276
|
+
agentsecure secrets list
|
|
227
277
|
agentsecure keys list
|
|
228
278
|
agentsecure network list
|
|
229
279
|
agentsecure proxy setup openai
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
|
|
9
9
|
AI coding agents run where developer secrets already live: `.env` files, shell environments, MCP configs, local credentials, and project settings. GitGuardian's 2026 State of Secrets Sprawl report found [28.65 million new hardcoded secrets in public GitHub commits in 2025](https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/) and [24,008 unique secrets in MCP-related configuration files, including 2,117 valid credentials](https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/). Reported testing has also shown agent tools reading `.env` files despite ignore-file expectations; [The Register reproduced Claude Code reading `.env` with `.claudeignore` and `.gitignore` entries present](https://www.theregister.com/2026/01/28/claude_code_ai_secrets_files/), while [Anthropic's current docs recommend explicit file-access deny rules for sensitive files](https://code.claude.com/docs/en/configuration).
|
|
10
10
|
|
|
11
|
-
AgentSecure Community is a local-first CLI for AI coding-agent workflows. It demonstrates a simple idea: ignore files are not a secret boundary, so the agent should
|
|
11
|
+
AgentSecure Community is a local-first CLI for AI coding-agent workflows. It demonstrates a simple idea: ignore files are not a secret boundary, so real secrets should live in AgentSecure's local vault, projects should reference aliases, and the agent should receive temporary virtual tokens instead of raw `.env` values.
|
|
12
12
|
|
|
13
13
|
The community release is intentionally scoped to local CLI, local command guard, basic policy config, local secret virtualization, and tests. Hosted cloud sync, enterprise policy management, billing/licensing, and sensitive commercial detection logic are not part of this release.
|
|
14
14
|
|
|
@@ -46,6 +46,31 @@ Then run your agent:
|
|
|
46
46
|
python3 -m agentsecure run claude
|
|
47
47
|
```
|
|
48
48
|
|
|
49
|
+
## Where Secrets Go
|
|
50
|
+
|
|
51
|
+
Keep real secrets in one local AgentSecure vault:
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
printf '%s' "$DATABASE_URL" | agentsecure secrets add dev_db \
|
|
55
|
+
--env-name DATABASE_URL \
|
|
56
|
+
--provider database \
|
|
57
|
+
--approved-host db.example.com \
|
|
58
|
+
--real-secret-stdin
|
|
59
|
+
|
|
60
|
+
agentsecure secrets use dev_db
|
|
61
|
+
agentsecure run -- claude
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
What this does:
|
|
65
|
+
|
|
66
|
+
- The real value is stored locally under `~/.agentsecure/vault/`.
|
|
67
|
+
- `agentsecure.json` stores only alias metadata such as `dev_db`, `DATABASE_URL`, provider, and approved hosts.
|
|
68
|
+
- At run time, AgentSecure creates a short-lived fake token such as `virt_database_...`.
|
|
69
|
+
- The gateway swaps that fake token for the real secret only for the approved host.
|
|
70
|
+
- The fake token is revoked after the run.
|
|
71
|
+
|
|
72
|
+
Do not put real secrets in project `.env` files. Use `.env` for non-secret config or fake placeholders that are safe for an agent to read.
|
|
73
|
+
|
|
49
74
|
## What The Demo Shows
|
|
50
75
|
|
|
51
76
|
The built-in demo creates a temporary local project with fake secrets, applies a small sample policy, simulates a command reading `.env`, and prints what the agent would see:
|
|
@@ -79,12 +104,12 @@ This creates `agentsecure.json`, local private state under `.agentsecure/`, and
|
|
|
79
104
|
agentsecure policy validate
|
|
80
105
|
```
|
|
81
106
|
|
|
82
|
-
Create a fake `.env` for testing:
|
|
107
|
+
Create a fake `.env` for testing. This file must not contain real credentials:
|
|
83
108
|
|
|
84
109
|
```bash
|
|
85
110
|
cat > .env <<'EOF'
|
|
86
|
-
OPENAI_API_KEY=
|
|
87
|
-
DATABASE_URL_PROD=postgres://
|
|
111
|
+
OPENAI_API_KEY=fake-openai-key-for-demo-only
|
|
112
|
+
DATABASE_URL_PROD=postgres://fake:fake-password@example.invalid/app
|
|
88
113
|
EOF
|
|
89
114
|
```
|
|
90
115
|
|
|
@@ -94,13 +119,25 @@ Discover likely secrets:
|
|
|
94
119
|
agentsecure discover
|
|
95
120
|
```
|
|
96
121
|
|
|
122
|
+
For real credentials, use the vault/alias flow:
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
printf '%s' "$OPENAI_API_KEY" | agentsecure secrets add openai_dev \
|
|
126
|
+
--env-name OPENAI_API_KEY \
|
|
127
|
+
--provider openai \
|
|
128
|
+
--approved-host api.openai.com \
|
|
129
|
+
--real-secret-stdin
|
|
130
|
+
|
|
131
|
+
agentsecure secrets use openai_dev
|
|
132
|
+
```
|
|
133
|
+
|
|
97
134
|
Run a command through the local guard:
|
|
98
135
|
|
|
99
136
|
```bash
|
|
100
137
|
agentsecure run --protect-all -- python3 -c 'import subprocess; print(subprocess.check_output(["cat", ".env"]).decode())'
|
|
101
138
|
```
|
|
102
139
|
|
|
103
|
-
By default, `--protect-all` virtualizes discovered secrets. The command output should contain `virt_...` tokens instead of
|
|
140
|
+
By default, `--protect-all` virtualizes discovered values. Prefer the `agentsecure secrets add/use` flow above for real secrets because it keeps real values out of project files entirely. The command output should contain `virt_...` tokens instead of real values. The real `.env`, if you still have one, remains local and unchanged.
|
|
104
141
|
|
|
105
142
|
Denied values are removed only when policy sets `mode: "deny"` for that environment variable. The built-in `agentsecure demo` includes that policy for `DATABASE_URL_PROD` so you can see both behaviors: virtualize and deny.
|
|
106
143
|
|
|
@@ -153,7 +190,8 @@ Provider proxy mode is local-only. It is not a system-wide proxy, not TLS MITM,
|
|
|
153
190
|
## What It Demonstrates
|
|
154
191
|
|
|
155
192
|
- Discover likely secrets in `.env` files and environment variables.
|
|
156
|
-
- Store real
|
|
193
|
+
- Store reusable real secrets locally under `~/.agentsecure/vault/`.
|
|
194
|
+
- Store project assignments as alias metadata in `agentsecure.json`.
|
|
157
195
|
- Expose virtual values such as `OPENAI_API_KEY=virt_openai_...`.
|
|
158
196
|
- Sanitize common `.env` reads through command-guard mode.
|
|
159
197
|
- Remove denied env values from agent-visible output.
|
|
@@ -169,6 +207,15 @@ Minimal policy shape:
|
|
|
169
207
|
|
|
170
208
|
```json
|
|
171
209
|
{
|
|
210
|
+
"secret_aliases": [
|
|
211
|
+
{
|
|
212
|
+
"alias_id": "openai_dev",
|
|
213
|
+
"env_name": "OPENAI_API_KEY",
|
|
214
|
+
"provider": "openai",
|
|
215
|
+
"approved_hosts": ["api.openai.com"],
|
|
216
|
+
"mode": "virtualize"
|
|
217
|
+
}
|
|
218
|
+
],
|
|
172
219
|
"env_policy": {
|
|
173
220
|
"OPENAI_API_KEY": {
|
|
174
221
|
"mode": "virtualize",
|
|
@@ -198,6 +245,9 @@ agentsecure doctor
|
|
|
198
245
|
agentsecure discover
|
|
199
246
|
agentsecure suggest
|
|
200
247
|
agentsecure env
|
|
248
|
+
agentsecure secrets add dev_db --env-name DATABASE_URL --provider database --approved-host db.example.com --real-secret-stdin
|
|
249
|
+
agentsecure secrets use dev_db
|
|
250
|
+
agentsecure secrets list
|
|
201
251
|
agentsecure keys list
|
|
202
252
|
agentsecure network list
|
|
203
253
|
agentsecure proxy setup openai
|