Svault
The secret manager that knows an AI is asking.
Svault is an AI-aware secret access layer written in Rust. It sits between AI agents and your credentials — enforcing structured requests, detecting suspicious patterns, and making sure an agent has a real reason before it touches anything sensitive.
Why Svault? Every existing secret manager (1Password, Infisical, HashiCorp Vault) treats an AI agent the same as a human or a script. Svault doesn't. It knows the difference.
flowchart LR
H["Human"] -->|"svault secret get<br/>(passphrase)"| V["Svault"]
A["AI Agent"] -->|"svault get<br/>scope + reason"| P["Policy engine"]
P -->|"allow / deny + audit"| V
V --> E["vault.enc<br/>AES-256-GCM"]
Documentation
| Guide | What's inside |
|---|---|
| Installation | crates.io, from source, supported platforms |
| Interactive mode (TUI) | The full-screen dashboard and keybindings |
| Command reference | Every subcommand and flag |
| Policy engine | The agent path — svault get, scopes, tiers, audit |
| Recovery & portability | Recovery code for a lost passphrase, export/import bundles |
| Storage backends | Local today; cloud / self-hosted / S3 placeholders |
| Security model | Crypto, memory safety, what's safe to commit |
| Architecture | How it works, on-disk layout, auth methods |
| Roadmap | Where Svault is headed |
| Changelog | What's shipped, version by version |
Quick start
# Install
# 1. Create an encrypted vault (interactive: storage, name, agents, auto-lock, passphrase…)
# Prints a one-time recovery code — save it (see 'svault recover').
# 2. Add secrets
# 3. Unlock for your session (passphrase cached, not prompted again)
# 4. Use secrets without re-entering the passphrase
# 5. Lock when done
Or just run svault with no arguments for the interactive TUI.
⭐ Star us if you like the project!
Run svault with no subcommand to open the full-screen terminal UI:
Browse all vaults (with live lock state), c create, u unlock / l lock, s edit settings, and — once a vault is unlocked — a add, view, and d delete secrets. The TUI reuses the cached session passphrase, so an unlocked vault is never re-prompted. Every subcommand still works for scripting.
Full keybindings → docs/tui.md
svault secret get is the human path — passphrase, no questions asked. svault get is the agent path: a structured request that an AI must justify.
flowchart TD
REQ["svault get"] --> ID["Identify caller"]
ID --> RSN{"Reason valid?"}
RSN -->|no| DENY["Deny + audit"]
RSN -->|yes| CAP{"Caller holds scope<br/>& matches secret?"}
CAP -->|no| DENY
CAP -->|yes| TIER{"Sensitivity tier?"}
TIER -->|high| DENY
TIER -->|low / medium| RATE{"Within rate limit<br/>& no burst?"}
RATE -->|no| DENY
RATE -->|yes| ALLOW["Return value + audit"]
Policy lives in a committable svault.policy.yaml (no secrets inside). high-tier secrets are never handed to an agent.
Full pipeline, YAML schema, tiers → docs/policy-engine.md
svault create prints a one-time recovery code — a 160-bit second key that resets a lost passphrase. It's shown once and never stored in plaintext; keep it in a password manager.
The bundle carries no machine-specific state and every byte is encrypted or signed — safe to move between machines (same major Svault version).
Recovery code + export/import → docs/recovery.md
| Backend | Status |
|---|---|
local |
Available (default) |
cloud |
Coming soon — Soluzy SaaS |
self-hosted |
Coming soon — your own server |
s3 |
Coming soon — S3 / MinIO |
The chosen backend is recorded in meta.yaml and shown as a storage:name prefix everywhere a vault is listed. Vault names must be unique.
Details → docs/storage-backends.md
| Property | Implementation |
|---|---|
| Encryption | AES-256-GCM |
| Key derivation | Argon2id (64 MB, 3 iterations) — GPU-resistant |
| Metadata integrity | HMAC-SHA256 — tampering with meta.yaml is detected |
| Memory safety | VaultKey + secrets derive ZeroizeOnDrop — wiped on drop |
| Session file | Atomic write, mode 0600 |
| Vault file | Safe to commit — encrypted at rest |
The passphrase is the only key.
Threat model + on-disk layout → docs/security.md
flowchart TD
U["AI Agent / User"] -->|"svault_get_secret(name, scope, reason)"| D["Svault"]
D --> AUTH["Multi-factor auth<br/>Passphrase · YubiKey · TOTP · Touch ID"]
AUTH --> POL["Policy checks<br/>reason → capability → rate limit<br/>burst detection · audit log"]
POL --> TIER["Sensitivity tier enforcement"]
TIER --> ENC["(.svault/<vault>/vault.enc<br/>AES-256-GCM encrypted)"]
Auth methods, full layout → docs/architecture.md
Roadmap
| Phase | Status | What |
|---|---|---|
| Step 1 | Done | Local encrypted vault — AES-256-GCM + Argon2id |
| Step 1+ | Done | Interactive Ratatui TUI — forms, browsers, lock-aware secrets |
| Step 2 | Done | Policy engine — caller identity, reason, scopes, tiers, rate limit, audit log |
| Step 3 | In progress | Recovery (code + export/import) shipped; daemon next. Extra auth methods (YubiKey, TOTP, Touch ID/Face ID) deferred |
| Step 4 | Planned | Desktop GUI (Tauri) + system tray |
| Step 5 | Planned | MCP integration — Claude Code, Cursor, Copilot, VS Code, Aider |
| Cloud | Planned | Anomaly scoring via Claude Haiku — free tier + premium plans |
Full roadmap → docs/roadmap.md
Tests
64 tests covering: roundtrip encryption, wrong-key rejection, bit-flip authentication failure, distinct salts → distinct keys, key-from-bytes roundtrip, vault create/open, open-with-key, re-key, wrong passphrase, add/get/list/remove, persistence across reopen, tampered vault.enc rejected, tampered meta.yaml rejected, session unlock/lock/lock-all, passphrase strength checks, audit record/read, rate-limit parsing, the policy engine (capability, tiers, rate limit, burst, unknown caller, fallback mode), recovery code write/unlock + wrong-code rejection, full recover-and-rekey roundtrip (old passphrase rejected, secret preserved, code still valid), export-bundle checksum integrity, build→import recreating an openable vault + overwrite rejection, storage-backend metadata roundtrip, and TUI key dispatch (field navigation, the rate-limit space-toggle regression, paste handling, and the help overlay).
CI runs the suite on Ubuntu, Fedora, macOS, and Windows on every push and pull request.
License
Apache 2.0 — see LICENSE.
Built by Soluzy.