GitHub - inflightsec/agent-vault-proxy: Just-in-time API keys for AI agents - and any other process you route through it: the caller only ever sees a placeholder.

Just-in-time API keys for AI agents and any other process you route through it: the caller only ever sees a placeholder.

AVP protects you from credential stealers (Shai-Hulud and similar) and prompt-injected agents leaking your secrets. It's a local proxy that injects real secrets into requests in-flight, so a compromised or prompt-injected agent has nothing to steal.

Under the hood: a loopback HTTPS proxy that fetches credentials from Bitwarden Secrets Manager — cloud or self-hosted — just-in-time and injects them into outbound requests, so the calling process never holds the real credential bytes in its address space.

Try it. 10 seconds.

$ pipx install agent-vault-proxy            # pipx puts `avp` on $PATH for sudo
$ sudo avp setup --static
$ sudo avp secret add STRIPE_API_KEY         # prompts; no echo
✓ added secret 'STRIPE_API_KEY'
  next: run `avp env` to refresh ~/.config/avp/env
$ avp env
$ avp run claude                             # auto-loads ~/.config/avp/env, sets proxy, exec

avp run reads the placeholder env file itself, so the real key never enters your shell — not even as a placeholder. Add more secrets later by repeating secret add + avp env.

No Bitwarden account? --static keeps secrets in a local YAML file owned by the service user. Upgrade later by re-running sudo avp setup without --static.

On Mac: brew install inflightsec/avp/agent-vault-proxy.

See it in action

Docs

• Quickstart — 10-minute first run ending in a visible substitution
• Concepts — placeholder, binding, the CA, fail-closed — in plain terms
• Prerequisites — Bitwarden Secrets Manager setup (do this first)
• Linux install · Docker · macOS
• Usage — pointing your agent at the proxy
• Linux isolation — composing AVP with bubblewrap for filesystem sandboxing
• bindings.example.yaml — full config schema
• Architecture — threat model, G1–G9 invariants, hardening, residual risks
• Adapter architecture — plug in another vault backend
• Comparison — vs. Vault Agent, Doppler, op run, superfly/tokenizer
• CHANGELOG · SECURITY · CONTRIBUTING · CREDITS

The proxy never phones home. The only outbound connections it makes are to the BWS endpoint you configure and the upstream APIs your agent is calling. No telemetry. The audit log under /var/log/agent-vault-proxy/audit.jsonl is local-only.

License

MIT — see LICENSE. Prior art acknowledged in CREDITS.md.