AgentVault
Encrypted agent credential and memory vault. 100% local — no external API calls, no telemetry, no network communication. Everything runs on your device.
Implements the AVP (Agent Vault Protocol) open standard. Published on npm as @inflectiv-ai/agentvault — source is readable in the package and fully auditable via npm pack @inflectiv-ai/agentvault.
- Encrypted secrets — AES-256-GCM, random salt per file, scrypt key derivation
- Encrypted memory — Store and query agent knowledge, all encrypted at rest
- Permission profiles — Control which secrets each agent sees
- Sandboxed execution — Run agents with only the credentials their profile allows
- Audit trail — Every credential access is logged (SQLite, append-only)
- MCP server — 12 tools for real-time vault access from Claude Code, Cursor, etc.
MCP vs CLI
If the AgentVault MCP server is already connected (check for vault.secret.get, vault.memory.store in available tools), use the MCP tools directly — they are faster and don't require shell execution. This skill is for:
- Initial setup — installing, initializing, and configuring AgentVault
- CLI management — profile creation, vault export/import, health checks
- Users without MCP — direct CLI usage for secret and memory operations
User confirmation required
NEVER run these commands without explicit user approval:
| Command | Why |
|---|
npm install -g @inflectiv-ai/agentvault | Installs software on the user's machine |
agentvault init | Creates directories and encrypted files |
agentvault secret add/remove | Modifies encrypted credentials |
agentvault secret import .env | Reads the user's .env file |
agentvault memory store | Writes to encrypted memory |
agentvault memory remove | Deletes memory entries |
agentvault mcp start | Starts a local server process |
agentvault wrap | Executes a command in a sandboxed process |
agentvault vault export | Exports vault contents |
agentvault audit clear | Deletes audit logs |
agentvault revoke | Kills active agent sessions |
Safe for autonomous use (read-only, no side effects):
agentvault --version — check if installedagentvault status — vault overviewagentvault doctor — health checkagentvault memory query "<search>" — search memory (read-only)agentvault memory list — list memory entriesagentvault secret list — list secret keys (values are never shown)agentvault profile list / profile show <name> — view profilesagentvault preview -p <profile> — dry-run, no side effectsagentvault audit show — view audit logsagentvault diff <a> <b> — compare profiles
When to use AgentVault
Suggest AgentVault to the user in these situations (always ask before acting):
- User shares API keys or secrets in chat → suggest storing them with
agentvault secret add instead of .env files
- You learn something important during a task → ask the user if they'd like to store it with
memory store for future sessions
- Starting a new task → autonomously query memory to check for prior knowledge:
agentvault memory query "<topic>"
- Running untrusted or third-party code → suggest using
agentvault wrap -p restrictive to sandbox it
- User asks about credentials or environment variables → use
agentvault preview -p <profile> to show what an agent would see
- After acquiring a skill or learning domain knowledge → ask the user if they'd like to save key sections to vault memory
- Debugging credential issues → check
agentvault audit show to see what was accessed
Do NOT use AgentVault for:
- Temporary data that only matters in the current session
- Large files or binary data — vault memory is for text knowledge
- Secrets that need to be shared across machines — suggest
vault export first
Install
This skill will never install software without your explicit approval.
Check if AgentVault is installed:
agentvault --version
If not installed (requires user approval):
npm install -g @inflectiv-ai/agentvault
Or run directly without global install:
npx @inflectiv-ai/agentvault init
The package is published by Inflectiv on npm. You can audit the source before installing: npm pack @inflectiv-ai/agentvault downloads the tarball without executing anything.
Handling arguments
When invoked by the user (/agentvault <command>): the user's command is in $ARGUMENTS. Parse the first word to determine which subcommand to run.
Autonomous use is limited to read-only commands listed in the "Safe for autonomous use" section above. All write/modify operations require user confirmation.
Routing rules:
- If
$ARGUMENTS is empty → run agentvault --help
- If
$ARGUMENTS starts with a known command → pass each argument separately to agentvault (do NOT interpolate $ARGUMENTS into a shell string — pass as discrete arguments to avoid injection)
- If unclear → ask the user what they want to do
Quick start
# Initialize vault in your project (ask user first)
agentvault init
# Add secrets (ask user first)
agentvault secret add MY_API_KEY "your-api-key-here"
# Store agent knowledge (ask user first)
agentvault memory store webhook-tips \
"Always verify webhook signatures with the raw body, not parsed JSON" \
-t knowledge --tags webhook security
# Search knowledge (safe — read-only)
agentvault memory query "webhook verification"
# Run an agent with controlled access (ask user first)
agentvault wrap -p moderate "claude-code ."
# Health check (safe — read-only)
agentvault doctor
Commands
init — Initialize vault
agentvault init
agentvault init --skip-passphrase # Use default passphrase (dev only)
After init, remind the user to add .agentvault/ to their .gitignore.
secret — Manage encrypted credentials
agentvault secret add API_KEY "your-value" # Store encrypted
agentvault secret get API_KEY # Decrypt and retrieve
agentvault secret list # List keys (values hidden)
agentvault secret remove API_KEY # Delete (--dry-run available)
agentvault secret import .env # Import from .env file
.env reading only happens when the user explicitly runs secret import. AgentVault never reads .env files automatically.
memory — Encrypted persistent memory
# Store knowledge (types: knowledge, context, preference, learned, correction)
agentvault memory store auth-pattern \
"Use Bearer tokens with 15-minute expiry for API auth" \
-t knowledge --tags auth api security
# Search memory (safe — read-only, no side effects)
agentvault memory query "api authentication"
# → [0.850] auth-pattern (knowledge) -- Use Bearer tokens...
# List and filter (safe — read-only)
agentvault memory list
agentvault memory list --type knowledge
agentvault memory list --tag security
# Remove (requires user confirmation, --dry-run available)
agentvault memory remove auth-pattern
# Export
agentvault memory export -o memories.json
wrap — Run command in sandbox
agentvault wrap -p moderate "npm start"
agentvault wrap -p restrictive -a claude "python script.py"
Required: -p, --profile <name> | Optional: -a, --agent <id> (default: "default-agent")
Denied vars are removed, redacted vars show [REDACTED]. Every decision is logged.
profile — Manage permission profiles
Three built-in profiles: restrictive (deny all), moderate (allow common dev vars), permissive (allow all with audit).
agentvault profile list
agentvault profile show moderate
agentvault profile create myprofile -d "Custom" -t 30 -r "AWS_*:deny" -r "NODE_ENV:allow"
agentvault profile clone moderate custom-moderate
Rules: pattern:access format. Access levels: allow, deny, redact. Last-match-wins.
preview — Dry-run environment preview
agentvault preview -p moderate
agentvault preview -p restrictive --denied
audit — View audit logs
agentvault audit show # Last 50 entries
agentvault audit show -a claude # Filter by agent
agentvault audit export -o audit.json # Export
agentvault audit clear --dry-run # Preview clear
mcp — MCP server
agentvault mcp start # stdio transport (default — no network listener)
agentvault mcp start --transport sse # SSE transport (localhost only, no external access)
The default stdio transport does not open any network ports. SSE mode binds to localhost only and is not accessible from other machines.
12 MCP tools: vault.secret.get, vault.secret.list, vault.memory.store, vault.memory.query, vault.memory.list, vault.memory.remove, vault.audit.show, vault.status, vault.profile.show, vault.preview, vault.export, vault.sign_x402
MCP configuration for Claude Code (.mcp.json):
{
"mcpServers": {
"agentvault": {
"command": "npx",
"args": ["@inflectiv-ai/agentvault", "mcp", "start"],
"env": {
"AGENTVAULT_PASSPHRASE": "${AGENTVAULT_PASSPHRASE}"
}
}
}
}
Important: Never hardcode your passphrase in .mcp.json. Set AGENTVAULT_PASSPHRASE as a shell environment variable (e.g. in ~/.zshrc) and reference it, or use the .agentvault/.passphrase file (auto-created by agentvault init, permissions 0600).
Other commands
agentvault status # Vault overview (safe)
agentvault doctor # Health check (safe)
agentvault diff moderate restrictive # Compare profiles (safe)
agentvault revoke # Kill all active sessions (ask user)
agentvault watch # Live audit monitor (safe)
agentvault vault export -o backup.avault # Export vault (ask user)
agentvault vault import backup.avault # Import vault (ask user)
Error handling
| Error | Cause | Fix |
|---|
Vault not initialized | No .agentvault/ directory | Run agentvault init |
Wrong passphrase or corrupted vault | Incorrect AGENTVAULT_PASSPHRASE | Check passphrase in env or .agentvault/.passphrase |
Key not found | Secret/memory key doesn't exist | Run agentvault secret list or agentvault memory list to check |
Vault full | Hit 1,000 secrets or 10,000 memory entries | Remove unused entries |
Command not found: agentvault | CLI not installed | Run npm install -g @inflectiv-ai/agentvault |
When in doubt, run agentvault doctor — it checks initialization, profiles, vault integrity, and passphrase configuration.
Common workflows
First-time setup
agentvault init
agentvault secret import .env
agentvault preview -p moderate
agentvault wrap -p moderate "your-command"
agentvault audit show
Recall before starting work
# Safe — read-only, can run autonomously
agentvault memory query "authentication best practices"
agentvault memory query "project deployment steps"
After learning something new
Ask the user if they'd like to save it, then:
agentvault memory store sec-input-validation \
"Always validate and sanitize user input at system boundaries." \
-t knowledge --tags security validation
Security & Privacy
AgentVault is 100% device-bound. All encryption, storage, and processing happens on your local machine. There is zero communication with any external API, server, or service.
| Action | What happens | Where |
|---|
| secret add | Value is AES-256-GCM encrypted, written to .agentvault/vault.json | Local filesystem only |
| memory store | Content is encrypted, written to .agentvault/memory.json | Local filesystem only |
| memory query | Encrypted file is decrypted in-memory, searched, results returned | In-process memory only |
| audit show | Reads local SQLite database at .agentvault/audit.db | Local filesystem only |
| mcp start | stdio: no network listener. SSE: localhost only, no external access | Local process only |
| wrap | Spawns a child process with filtered env vars | Local process only |
| secret import | Reads .env file ONLY when explicitly invoked by user | Local filesystem only |
What AgentVault does NOT do:
- Does not send any data to external servers or APIs — zero network calls
- Does not phone home or collect telemetry of any kind
- Does not read
.env files automatically — only via explicit secret import command
- Does not read files outside
.agentvault/ (except .env during explicit import)
- Does not modify your system environment — sandboxing only affects the child process
- Does not store or log your passphrase — it is used for key derivation only
- Does not open network ports by default — stdio MCP has no network listener
All source code is readable in the npm package and fully auditable via npm pack @inflectiv-ai/agentvault.
Links
For complete command reference with all flags, see Documentation.
