TCP client-server model. Server holds credentials (encrypted at rest with age), injects them into a pre-approved allowlist of commands. Agent calls credwrap gog gmail search ... — server injects the API key and executes, agent never sees the credential.
Features:
Tool allowlist with argument validation
Token / IP whitelist / Tailscale auth
Full audit logging
Works on Linux and macOS
Two deployment modes: run as your own user with encryption (simple), or run as a separate system user for full privilege separation (more secure).
Had the thought that this was needed, and then saw this thread, so I figured I'd share.
TCP client-server model. Server holds credentials (encrypted at rest with age), injects them into a pre-approved allowlist of commands. Agent calls credwrap gog gmail search ... — server injects the API key and executes, agent never sees the credential.
Features:
Tool allowlist with argument validation Token / IP whitelist / Tailscale auth Full audit logging Works on Linux and macOS Two deployment modes: run as your own user with encryption (simple), or run as a separate system user for full privilege separation (more secure).
Had the thought that this was needed, and then saw this thread, so I figured I'd share.