HackerTrans
TopNewTrendsCommentsPastAskShowJobs

akropp99

no profile record

comments

akropp99
·5 mesi fa·discuss
Built a solution for this last night: credwrap (https://github.com/akropp/credwrap)

TCP client-server model. Server holds credentials (encrypted at rest with age), injects them into a pre-approved allowlist of commands. Agent calls credwrap gog gmail search ... — server injects the API key and executes, agent never sees the credential.

Features:

Tool allowlist with argument validation Token / IP whitelist / Tailscale auth Full audit logging Works on Linux and macOS Two deployment modes: run as your own user with encryption (simple), or run as a separate system user for full privilege separation (more secure).

Had the thought that this was needed, and then saw this thread, so I figured I'd share.