Stillvault
БесплатноНе проверенEnables AI agents to securely use real secrets (API keys, database passwords) by requiring human approval for each release, ensuring secrets never enter the mod
Описание
Enables AI agents to securely use real secrets (API keys, database passwords) by requiring human approval for each release, ensuring secrets never enter the model's context.
README
Give an AI agent access to real secrets — API keys, database passwords — with a named human approving each release on their device, and without the secret ever entering the model's context.
This is a thin shim over the stillvault CLI. It contains no cryptography and holds
no secret material: every release, approval, and unsealing happens in the CLI and on
the approver's device, exactly as it does from a shell. The agent calls a tool; a
human approves on their phone or the web console; the secret is used and never shown
to the model.
Why the secret never reaches the model
The headline tool, stillvault_run, doesn't return secret values. It runs a command
you choose, substitutes stillvault://<path> references into that process after
approval, and returns only the command's output. The plaintext lives only in the
child process, on the local machine, for that command's lifetime — never in the
conversation, and never in your LLM provider's logs.
There is a second tool, stillvault_reveal, for the rare case where the value itself
must be read. It says plainly what it costs (the secret enters the model context) and
should be the exception.
Onboarding
1. Install the stillvault CLI
curl -fsSL https://stillvault.ai/install.sh | sh # macOS / Linux
# Windows (PowerShell):
irm https://stillvault.ai/install.ps1 | iex
2. Enrol this machine as an agent
The agent gets its own signing key — the org key never lives here. Create an enrolment token in the web console (Agents), then:
stillvault agent-enroll --agent claude-prod --org <your-org-id> --token <one-time-token>
An admin admits it in the console after checking the fingerprint. Scope the paths it may request with an access policy. See https://stillvault.ai/docs/agents/.
3. Add the MCP server to your client
It runs over stdio via npx — no separate install.
Claude Desktop / Claude Code (claude_desktop_config.json or .mcp.json):
{
"mcpServers": {
"stillvault": {
"command": "npx",
"args": ["-y", "@wolstapp/stillvault-mcp"],
"env": {
"STILLVAULT_AGENT": "claude-prod",
"STILLVAULT_TENANT": "<your-org-id>"
}
}
}
}
Claude Code, one-liner:
claude mcp add stillvault -e STILLVAULT_AGENT=claude-prod -e STILLVAULT_TENANT=<org-id> \
-- npx -y @wolstapp/stillvault-mcp
That's it. The agent can now request secrets, and you approve each release on your device.
The tools
stillvault_run (preferred)
Runs a local command with secrets injected, never revealing them.
command— the executable, e.g.psql,curl,./deploy.sh.args— arguments; anystillvault://<path>is replaced with the secret after approval. Embed inside a longer string with{{stillvault://<path>}}.secret_env— optional map of environment variables whose values contain references (e.g.{"DATABASE_URL": "stillvault://db/prod/dsn"}). Switches to the safer mode where secrets go in the child's environment, not its command line.
Returns the command's stdout/stderr and exit code. Blocks until a human approves (or the wait times out, default 130s).
stillvault_reveal (exposes the value)
Returns a secret's plaintext into the conversation after approval. This puts the
secret in the model's context and your provider's logs. Prefer stillvault_run.
path— the secret path, e.g.db/prod/password.
Configuration
| Env var | Default | Purpose |
|---|---|---|
STILLVAULT_AGENT |
(none) | Enrolled agent id; releases are signed with its key. Set this for managed use. |
STILLVAULT_TENANT |
(none) | Your org id (managed broker per-tenant lookup). |
STILLVAULT_BROKER |
https://stillvault.ai |
Broker URL (set for self-hosted). |
STILLVAULT_BIN |
stillvault |
Path to the CLI if not on PATH. |
STILLVAULT_APPROVAL_WAIT |
130 |
Seconds to wait for each approval. |
What this server is and isn't
- It is a launcher for the
stillvaultrelease loop, surfaced as MCP tools. - It does not decrypt anything, hold keys, or talk to the broker directly — the CLI does that, and the key that opens a secret only ever exists on the approver's device.
- Approval is per release. A short, policy-bounded lease in the CLI means a tight loop reading the same secret doesn't prompt a human on every call — see https://stillvault.ai/docs/how-it-works/.
Develop locally
npm install
npm run build
npm start # serves over stdio
Установка Stillvault
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/Wolstapp/stillvault-mcpFAQ
Stillvault MCP бесплатный?
Да, Stillvault MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Stillvault?
Нет, Stillvault работает без API-ключей и переменных окружения.
Stillvault — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Stillvault в Claude Desktop, Claude Code или Cursor?
Открой Stillvault на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
wenb1n-dev/SmartDB_MCP
A universal database MCP server supporting simultaneous connections to multiple databases. It provides tools for database operations, health analysis, SQL optim
автор: wenb1n-devPostgres Server
This server enables interaction with PostgreSQL databases through the Model Context Protocol, optimized for the AWS Bedrock AgentCore Runtime. It provides tools
автор: madhurprashPostgres
Query your database in natural language
автор: AnthropicPostgreSQL
Read-only database access with schema inspection.
автор: modelcontextprotocolCompare Stillvault with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории data
