Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Keiko

БесплатноНе проверен

Enables AI agents to securely use secrets by running commands with environment-injected credentials and sanitizing output to prevent leakage.

GitHubEmbed

Описание

Enables AI agents to securely use secrets by running commands with environment-injected credentials and sanitizing output to prevent leakage.

README

Secure secrets manager for AI agents. Keiko lets AI tools like Claude Code use API tokens, passwords, and credentials without ever seeing the actual values.

The Problem

AI agents need API tokens to do useful work — calling APIs, deploying code, managing infrastructure. But passing secret values through an AI's context window is a security risk: they appear in conversation logs, tool responses, and potentially in training data.

How Keiko Solves It

Keiko uses a proxy pattern. The AI agent tells Keiko what command to run and which secrets it needs, but never sees the secret values themselves:

AI Agent ──► Keiko MCP Server ──► Keiko Backend
                   │                      │
              resolves secrets ◄── HTTPS ──┘
                   │
              spawns: bash -c "your command"
              with secrets as env vars
                   │
              captures output
              sanitizes (redacts leaked values)
                   │
AI Agent ◄── clean output only

The AI says "run this curl command with my API token" — Keiko injects the token as an environment variable, runs the command, scans the output for any leaked values, redacts them, and returns clean output.

Quick Start

1. Deploy the backend

The backend stores secrets encrypted (AES-256-GCM) and serves them over HTTPS. Deploy with Docker to any platform with persistent storage:

# Generate an encryption key
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

# Deploy (Railway, Render, Fly, Docker Compose, etc.)
# See docs/setup-guide.md for full instructions

2. Set up the MCP server

The MCP server runs on each machine that needs access to secrets. It's a standalone package with only 2 dependencies — no native compilation needed.

cd packages/mcp
npm install
npm run build
node dist/index.js --store-token YOUR_TOKEN

3. Connect to Claude Code

Add to ~/.mcp.json:

{
  "mcpServers": {
    "keiko": {
      "command": "node",
      "args": ["/absolute/path/to/keiko/packages/mcp/dist/index.js"],
      "env": {
        "KEIKO_URL": "https://your-keiko-backend.example.com"
      }
    }
  }
}

Restart Claude Code. Ask "Check Keiko session status" to verify.

How the AI Uses It

Once connected, the AI discovers available secrets and uses them in commands — without ever seeing the values:

AI: list_secrets
→ my_api_token [Bearer token in Authorization header]

AI: run_with_secrets
   command: curl -s -H "Authorization: Bearer $API_TOKEN" https://api.example.com/data
   secrets: [{env: "API_TOKEN", name: "my_api_token"}]
→ {"data": [...]}  (secret values redacted from output)

Each secret includes auth_pattern and auth_instructions metadata, so the AI knows how to use it without external documentation.

MCP Tools

Tool Purpose
run_with_secrets Run a command with secrets injected as env vars
list_secrets Discover available secrets (names and auth patterns only)
session_status Check authentication state
lock Kill switch — revoke all active sessions
set_ttl Configure session expiry (0.5–24 hours)
add_secret Create a new secret
update_secret Replace an existing secret's value
get_guide Fetch the usage guide

Security

  • Encryption at rest — AES-256-GCM with per-secret random IV, plus versioned keys (ENCRYPTION_KEY, ENCRYPTION_KEY_V2, …) and an in-place rotation endpoint so the key can be rotated without downtime
  • Hashed auth tokens — 64-char hex tokens, SHA-256 hashed in the database, plaintext shown once
  • Token scoping — each token is restricted to a set of secret-name glob patterns (e.g. railway_*), so a leaked token only exposes the slice of the vault it actually needs
  • Output sanitization — command output scanned for secret values in raw, base64, base64url, URL-encoded, hex, JSON-string-escaped, and HTML-entity-escaped forms
  • Per-token rate limit — independent of per-IP, caps abuse from a single token routed through multiple IPs
  • CSRF protectionX-CSRF-Token header required on every mutating admin-UI endpoint
  • Session management — configurable TTL, auto-refresh, global kill switch
  • Audit trail — every action logged with token ID, session ID, IP, and timestamp

Secret values never appear in AI tool responses, conversation logs, or on disk on client machines. See GET /api/guide for the full threat model — what the proxy pattern does and does not prevent.

Architecture

keiko/
├── packages/mcp/          # MCP server (runs on your machine)
│   ├── src/
│   │   ├── server.ts       #   7 tool registrations
│   │   ├── client.ts       #   HTTPS client to backend
│   │   ├── executor.ts     #   Shell spawner + env var injection
│   │   ├── sanitizer.ts    #   Output redaction
│   │   └── keychain.ts     #   OS keychain (Win/Mac/Linux)
│   └── package.json        #   2 deps: @modelcontextprotocol/sdk + zod
│
├── src/                    # Backend API (runs on your server)
│   ├── api/                #   Express routes, auth, crypto
│   └── ui/                 #   EJS admin templates
│
└── Dockerfile              # Multi-stage production build

The MCP server and backend are fully independent packages. The MCP server has zero native dependenciesnpm install works everywhere without compilers or --ignore-scripts.

Platform Support

Environment Token Storage Notes
Windows Windows Credential Manager Commands run via Git Bash (not WSL)
macOS macOS Keychain System bash
Linux libsecret Requires secret-tool
Docker / CI KEIKO_TOKEN env var No keychain needed

Documentation

  • Setup Guide — Full setup instructions for all environments, backend deployment, troubleshooting, API reference, and configuration options

Tech Stack

Backend: Node.js 20, TypeScript, Express, SQLite (better-sqlite3), EJS, Google OAuth

MCP Server: Node.js 20, TypeScript, MCP SDK v1.x, Zod

Deployment: Docker (multi-stage build), any platform with persistent volumes. Tested with Railway.

from github.com/goldtopcollective/keiko

Установка Keiko

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/goldtopcollective/keiko

FAQ

Keiko MCP бесплатный?

Да, Keiko MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Keiko?

Нет, Keiko работает без API-ключей и переменных окружения.

Keiko — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Keiko в Claude Desktop, Claude Code или Cursor?

Открой Keiko на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Keiko with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai