wundervault/wundervault-mcp
БесплатноНе проверенZero-knowledge secret vault for AI agents: use API keys, passwords, and SSH keys to run real commands (exec/rsync) with the secret injected into a single comman
Описание
Zero-knowledge secret vault for AI agents: use API keys, passwords, and SSH keys to run real commands (exec/rsync) with the secret injected into a single command — never returned to the model or shown in chat. Client-side AES-256-GCM, per-agent scoping, append-only audit log.
README
npm version MCP Registry License: AGPL-3.0
A zero-knowledge secrets vault for AI agents. Every API key you paste into an agent chat or a .env file ends up in context windows, transcripts, and provider logs. Wundervault's answer: the agent never receives the secret at all. It asks for work — "run this deploy with the key injected" — and a local daemon decrypts the secret, injects it into the subprocess environment, zeroes the buffer, and scrubs the output before the agent sees any of it.
This repo is the MCP server that exposes that workflow to any Model Context Protocol client — Claude Code, Cursor, Cline, and others.
Don't trust the claim — test it: the zero-knowledge property is independently verifiable at your own network boundary in about 5 minutes (browser DevTools or a mitmproxy canary test). Guide + our own test transcript: wundervault.com/verify.
How it works
┌──────────────┐ MCP (stdio) ┌───────────────────┐ ciphertext only ┌───────────────────┐
│ AI agent │──────────────▶│ wundervault-mcp │◀─────────────────▶│ wundervault.com │
│ (Claude, …) │◀──────────────│ + local daemon │ │ stores encrypted │
└──────────────┘ "burned" ack │ decrypts HERE │ │ blobs, no keys │
└─────────┬─────────┘ └───────────────────┘
│ secret → subprocess env
│ (buffer zeroed after spawn)
▼
┌───────────────────┐
│ your command │ stdout/stderr scrubbed
│ (deploy, API, …) │ before the agent sees it
└───────────────────┘
Secrets are encrypted client-side (AES-256-GCM via Web Crypto) before upload. The hosted service only ever stores ciphertext — it cannot derive the key, the passphrase, or the plaintext.
Install
npm install -g @wundervault/mcp-server
Quick Start
{
"mcpServers": {
"wundervault": {
"command": "wundervault-mcp",
"env": {
"WUNDERVault_AGENT_VAULT_URL": "https://wundervault.com",
"WUNDERVault_AGENT_VAULT_API_KEY": "wv_agent_<AGENT_ID>|<KEY_SUFFIX>",
"WUNDERVault_AGENT_KEY": "<BASE64_ENCRYPTION_KEY>"
}
}
}
}
Or using a credentials file:
wundervault-mcp --credentials ~/.wundervault/creds.json
New account? wundervault.com has a 90-second agent onboarding flow that generates this config for you.
Security Model
- Zero-knowledge: The encryption key lives only in the MCP server process. The Wundervault server never sees it.
- Burn-after-reading: Plaintext secrets are never returned to the calling agent. After decryption, the agent receives only
"Secret retrieved and burned.". - Exec scrubbing: Command stdout/stderr are scrubbed of the plaintext before being returned; shell-escape patterns (
$(), backticks,sh -c,eval) and file redirects of secrets are rejected before decryption. - Directive integrity: Server-side directive signatures (PBKDF2-HMAC-SHA256, 600k iterations) are verified before any secret is released.
- Timing-safe: HMAC comparison uses
crypto.timingSafeEqual. - Tiered access: Per-entry access tiers are enforced server-side; high-tier secrets require human approval before an agent can use them.
Honest limitations
- The platform is open-core: this MCP server and the browser crypto are AGPL-3.0 so you can audit everything that touches your secrets, but the hosted service itself is not open source.
- A local daemon must run next to the agent; fully air-gapped setups don't fit.
- By design the agent can never read a secret's value — if your workflow needs the model to reason about the secret itself, this is the wrong shape.
Tools
vault_entries_list
List all vault entries available to this agent. Returns entry IDs and secret names — no values.
Input: {}
Output: "Vault entries (N):\n [entry_id] secret_name (tier: read)"
vault_entry_get
Retrieve and decrypt a vault secret. Optionally execute a command with it.
Input:
entry_id: string # from vault_entries_list
purpose: string # audit log reason
exec?: string # optional shell command
Output: "Secret retrieved and burned." (plaintext NEVER returned)
Secure exec pattern (sudo example):
sudo -S systemctl restart nginx <<< "$WUNDERVault_SECRET"
Do NOT use echo $WUNDERVault_SECRET | sudo -S — that exposes the secret in process logs.
vault_exec
Execute a shell command with a vault secret injected as an env var — locally or on a remote host over SSH. The secret is injected into the subprocess and the buffer is zeroed immediately after spawn; escape patterns are rejected before decryption.
Input:
purpose: string # audit log reason
command: string # full shell command (no escape patterns)
entry_id?: string # secret to inject (omit for SSH-key-only remote exec)
working_dir?: string
inject_as?: { env_key, pre_command?, post_command? } # override entry's exec_config
remote_host?: { host, user, ssh_key_entry_id? | ssh_key? }
With remote_host.ssh_key_entry_id, the SSH key is fetched from the vault and used without ever being written to disk.
vault_entry_inject_env
Write a vault secret directly into a config file (~/.npmrc, ~/.netrc, ~/.docker/config.json, or a project .env) without the plaintext passing through the agent.
Input:
entry_id: string
purpose: string
file_path: string # allowed config file paths only
env_key: string # variable name to set
vault_rsync
Sync a local directory to a remote host using rsync over SSH, with the SSH key fetched from the vault (temp keyfile deleted immediately after transfer).
vault_entry_forget
Discard a local reference. No-op on the server.
Input: { entry_id: string }
Output: "Reference [id] discarded from local context."
Credential Loading Priority
- CLI flags (
--api-key,--enc-key,--url) - Environment variables (
WUNDERVault_AGENT_VAULT_API_KEY,WUNDERVault_AGENT_KEY,WUNDERVault_AGENT_VAULT_URL) WUNDERVault_CREDENTIALS_FILEenv var (explicit path)~/.wundervault/creds.json~/.config/wundervault/credentials(XDG)
Credentials file format
{
"agent_vault_url": "https://wundervault.com",
"agent_vault_api_key": "wv_agent_<ID>|<SUFFIX>",
"agent_encryption_key": "<BASE64_URL_SAFE_32_BYTES>"
}
CLI Options
wundervault-mcp [options]
--api-key <key> Agent API key
--enc-key <key> Encryption key (base64 URL-safe)
--url <url> API base URL (default: https://wundervault.com)
--credentials <f> Path to credentials JSON file
--help Show help
Agent wallets (x402)
An x402 payment is just a signature, and a wallet key is a
vault secret like any other. Store the key at tier 2, have the agent sign the
payment payload through vault_exec, and the key is injected into a local signing
subprocess — it never enters the model context, and every use needs the owner's
approval first (the agent's denied call carries a request id; approval is scoped
to that agent + secret, once or for a 15/60-minute window). We ran this
end-to-end on Base Sepolia — the verified run is written up at
wundervault.com/agent-wallets.
Payment-specific policy (spend caps, payee allowlists) is not built yet:
compatible, not productized.
Sandbox / demo mode
Set WUNDERVAULT_MOCK=1 to run the server without a wundervault-agent
daemon or any credentials. In this mode every tool call returns a representative
response clearly labelled [DEMO MODE] instead of contacting the vault — no
real secret is ever involved. This exists so you can poke at the tool surface
without an account, and so MCP directory scanners and CI
(e.g. Glama) can start the server, exercise each tool, and
validate the build with no live vault. It is off by default and is never
enabled in production.
"env": { "WUNDERVAULT_MOCK": "1" } // demo/CI only — returns fake, labelled output
Building from source
git clone https://github.com/wundervault/wundervault-mcp.git
cd wundervault-mcp
npm install
npm run build # compiles TypeScript to dist/
npm test # run the test suite
License
Licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later). See LICENSE.
Wundervault is open-core: this MCP server and the client are open source; the hosted service at wundervault.com is a commercial offering. For commercial or hosting inquiries, get in touch via wundervault.com/contact.
Установка wundervault/wundervault-mcp
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/wundervault/wundervault-mcpFAQ
wundervault/wundervault-mcp MCP бесплатный?
Да, wundervault/wundervault-mcp MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для wundervault/wundervault-mcp?
Нет, wundervault/wundervault-mcp работает без API-ключей и переменных окружения.
wundervault/wundervault-mcp — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить wundervault/wundervault-mcp в Claude Desktop, Claude Code или Cursor?
Открой wundervault/wundervault-mcp на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Gmail
Read, send and search emails from Claude
автор: GoogleSlack
Send, search and summarize Slack messages
автор: SlackRunbear
No-code MCP client for team chat platforms, such as Slack, Microsoft Teams, and Discord.
Discord Server
A community discord server dedicated to MCP by [Frank Fiegel](https://github.com/punkpeye)
Compare wundervault/wundervault-mcp with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории communication
