Hardened Rust runner
cliOne injection path, a Rust library loaded over FFI. Core dumps are disabled, the child environment is cleared to a 10-variable allowlist plus your secrets, buffers are zeroized, and nothing is written to disk.
Vaulted is a local-first vault encrypted at rest, a hardened Rust runner that injects secrets into your process, and an MCP server that keeps values out of your agent's context window.
curl -fsSL https://raw.githubusercontent.com/woosal1337/vaulted/main/scripts/install.sh | sh
Every claim below maps to implemented, tested behavior documented in the security model.
One injection path, a Rust library loaded over FFI. Core dumps are disabled, the child environment is cleared to a 10-variable allowlist plus your secrets, buffers are zeroized, and nothing is written to disk.
Five tools over stdio for Claude Code, Cursor, Codex, Zed, OpenCode, and Claude Desktop. Read tools return names and metadata only, and run output is redacted before it reaches the model.
vaulted run executes through the hardened Rust runner with a cleaned environment, so your .env file can be deleted.
vaulted import moves your .env into the vault. vaulted export reconstructs it when you need it back, audited.
Projects with development, staging, and production environments, pinned per directory by vaulted.toml, discovered like git.
AES-256-GCM under a key hierarchy rooted in your master password via Argon2id. Only ciphertext ever touches disk.
Captured run output is scanned in plain, base64, and URL-encoded forms. Matches come back as [REDACTED:KEY_NAME].
Reveals, exports, runs, and MCP access all leave a local record, written in the same transaction as the mutation.
vaulted rotate generates a new project key and re-encrypts every secret in the project in one command.
vaulted lock clears the keychain entry and the password file. Unlock once, the MCP server never prompts.
Your master password derives the master key via Argon2id with 64 MiB of memory, 3 iterations, and 4 lanes. That key encrypts an RSA-2048 private key, which unwraps a random AES-256-GCM key per project, which encrypts every secret value. Only ciphertext ever touches disk, the database and password file are 0600, and there is no password recovery of any kind. No reset flow, no escrow, no security questions. A lost master password means an unreadable vault, by design.
Read the full security model →Short answers from the security model and the MCP reference.
No. There is no server. Secrets live in an encrypted SQLite vault on your machine, values are AES-256-GCM ciphertext under a key hierarchy rooted in your master password, and decryption happens locally.
Everything sits under ~/.config/vaulted, an SQLite database and an optional password file, both mode 0600. Each project directory gets a vaulted.toml that pins the project and default environment and holds no secret material.
The vault becomes unreadable, by design. There is no reset flow, no escrow, and no security questions. Export what you need while you can still decrypt.
The four read tools return names and metadata only. run-with-secrets executes a command through the hardened runner and redacts the injected values from the captured output before it reaches the model.
It disables core dumps, clears the child environment to a 10-variable allowlist plus your secrets, zeroizes secret buffers, and writes nothing to disk. vaulted run and the MCP run tool share this one Rust code path over FFI.
Yes. vaulted export reconstructs a dotenv file from any environment. The export is written to the audit log before any plaintext is emitted.
Install Vaulted, import your secrets, and keep them on your machine.