Show HN：Secretctl – 具備 MCP 集成的 AI 安全密鑰管理器

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

To see all available qualifiers, see our documentation.

The simplest AI-ready secrets manager. Local-first, single-binary CLI & Desktop app with MCP integration. Never expose secrets to AI agents.

License

Uh oh!

There was an error while loading. Please reload this page.

forest6511/secretctl

Folders and files

Latest commit

History

Repository files navigation

secretctl

The simplest AI-ready secrets manager.

No infrastructure. No subscription. No complexity.

Why secretctl?

Managing secrets shouldn't require a PhD in DevOps. secretctl is a local-first secrets manager that:

Why Local-First & AI-Safe?

Your secrets, your machine — No cloud sync, no third-party servers, no subscription fees. Your credentials stay on your device, period.

AI agents don't need plaintext — When Claude runs aws s3 ls, it needs the result, not your AWS keys. secretctl injects credentials directly into commands—AI never sees them.

Defense in depth — AES-256-GCM encryption at rest, Argon2id key derivation, MCP policy controls, and automatic output sanitization. Multiple layers, not a single point of failure.

Installation

From Source

Binary Releases

Download the latest release from GitHub Releases.

CLI:

Desktop App:

macOS may show a security warning for unsigned apps. To allow:

Windows SmartScreen may show a warning. To allow:

Quick Start

1. Initialize your vault

2. Store a secret

3. Retrieve a secret

4. List all secrets

5. Delete a secret

Features

Core

Metadata Support

Run Commands with Secrets

Inject secrets as environment variables without exposing them in your shell history:

Note: Output sanitization uses exact string matching. Encoded secrets (Base64, hex) or partial matches are not detected.

Export Secrets

Export secrets for use with Docker, CI/CD, or other tools:

Import Secrets

Import secrets from existing .env or JSON files:

Generate Passwords

Create secure random passwords:

Backup and Restore

Create encrypted backups and restore your vault:

Security: Backups are encrypted with AES-256-GCM using a fresh salt. The HMAC-SHA256 integrity check detects any tampering.

Audit Log

AI-Safe Access

secretctl implements AI-Safe Access — a security principle where AI agents never receive plaintext secrets.

Unlike traditional secret managers that might expose credentials directly to AI, secretctl uses a fundamentally different approach:

How it works:

This follows the "Access Without Exposure" philosophy used by industry leaders like 1Password and HashiCorp Vault.

AI Integration (MCP Server)

secretctl includes an MCP server for secure integration with AI coding assistants like Claude Code:

Available MCP Tools:

Configure in Claude Code (~/.claude.json):

Policy Configuration (~/.secretctl/mcp-policy.yaml):

Security: AI agents never receive plaintext secrets. The secret_run tool injects secrets as environment variables, and output is automatically sanitized.

Desktop App

secretctl includes a native desktop application built with Wails v2:

Desktop app showing multi-field secrets with templates (Database, API Key, Login, SSH Key)

Features:

Development:

Security

secretctl takes security seriously:

For reporting security vulnerabilities, please see SECURITY.md.

Documentation

📚 Full Documentation — Getting started, guides, and reference

License

Apache License 2.0 — See LICENSE for details.

Built with care for developers who value simplicity and security.

About

The simplest AI-ready secrets manager. Local-first, single-binary CLI & Desktop app with MCP integration. Never expose secrets to AI agents.

Topics

Resources

License

Contributing

Security policy

Uh oh!

There was an error while loading. Please reload this page.

Stars

Watchers

Forks

Releases

  8

Packages

  0

Uh oh!

There was an error while loading. Please reload this page.

Languages

Footer

Footer navigation