Back to Details

agent-vault

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

agent-vault

agent-vault

Read and write config files without ever seeing secret values. Secrets are stored in an encrypted local vault. You see 
<agent-vault:key-name>
placeholders; the real values are written to disk transparently.
安全读写配置文件,无需查看敏感值。敏感信息会存储在本地加密的vault中。你看到的是
<agent-vault:key-name>
占位符,真实值会被透明地写入磁盘。

Safe commands (you execute these)

安全命令(你可以执行这些)

agent-vault read <file>                   Read file, secrets → <agent-vault:key>
agent-vault write <file> --content '...'  Write file, <agent-vault:key> → real values
agent-vault has <key> [keys...]           Check if keys exist (exit 0/1)
agent-vault list                          List stored key names
agent-vault read <file>                   读取文件,敏感信息会替换为<agent-vault:key>
agent-vault write <file> --content '...'  写入文件,<agent-vault:key>会替换为真实值
agent-vault has <key> [keys...]           检查密钥是否存在(返回0/1状态码)
agent-vault list                          列出已存储的密钥名称

Sensitive commands (NEVER execute — tell the user to run these)

敏感命令(绝对不要执行——告知用户自行运行)

agent-vault set <key>                     Prompt user to enter a secret
agent-vault import <file>                 Bulk import from .env
agent-vault rm <key>                      Remove a secret
agent-vault get <key> --reveal            Show secret value (user only)
These require a TTY and will fail if you try to execute them.
agent-vault set <key>                     提示用户输入敏感信息
agent-vault import <file>                 从.env文件批量导入
agent-vault rm <key>                      删除一个敏感信息
agent-vault get <key> --reveal            显示敏感值(仅用户可执行)
这些命令需要TTY环境,如果你尝试执行会失败

Rules

规则

  1. NEVER use Read/Write/Edit tools on files that contain secrets. Use 
    agent-vault read
    and 
    agent-vault write
    instead.
  2. NEVER execute sensitive commands. Tell the user to run them in their terminal.
  3. Always check first. Run 
    agent-vault has <key>
    before asking users to set keys they might already have.
  4. Use 
    <agent-vault:key-name>
    placeholders     in all file content you write.
  5. Guide the user. When a secret is missing, tell them the exact command to run and where to find the value.
  1. 绝对不要在包含敏感信息的文件上使用普通的读写/编辑工具。请改用
    agent-vault read
    agent-vault write
  2. 绝对不要执行敏感命令。告知用户在他们的终端中运行这些命令。
  3. 总是先检查。在让用户设置可能已存在的密钥前,先运行
    agent-vault has <key>
  4. 在所有你写入的文件内容中使用
    <agent-vault:key-name>
    占位符
  5. 引导用户。当缺少敏感信息时,告知用户需要运行的具体命令以及在哪里获取对应的值。

Workflow

工作流程

1. agent-vault has <key>           ← check what's available
2. (if missing) tell user:         ← "Please run: agent-vault set <key>"
3. (wait for user confirmation)
4. agent-vault read <file>         ← read config with redacted secrets
5. agent-vault write <file> ...    ← write config, secrets auto-restored
1. agent-vault has <key>           ← 检查可用的密钥
2.(如果缺失)告知用户:         ← “请运行:agent-vault set <key>”
3.(等待用户确认)
4. agent-vault read <file>         ← 读取带有脱敏敏感信息的配置文件
5. agent-vault write <file> ...    ← 写入配置文件,敏感信息会自动恢复

Placeholder format

占位符格式

<agent-vault:key-name>
— key names are lowercase alphanumeric with hyphens.
Examples: 
<agent-vault:telegram-bot-token>
, 
<agent-vault:openai-key>
, 
<agent-vault:db-password>
When reading, unvaulted high-entropy strings appear as 
<agent-vault:UNVAULTED:sha256:XXXXXXXX>
. Tell the user to vault them.
<agent-vault:key-name>
— 密钥名称为小写字母数字加连字符。
示例:
<agent-vault:telegram-bot-token>
<agent-vault:openai-key>
<agent-vault:db-password>
读取文件时,未存入vault的高熵字符串会显示为
<agent-vault:UNVAULTED:sha256:XXXXXXXX>
。请告知用户将其存入vault。

Example: setting up a new service

示例:设置新服务

bash
undefined
bash
undefined

Check what exists

检查已存在的密钥

agent-vault has api-key db-password --json
agent-vault has api-key db-password --json

→ {"api-key": true, "db-password": false}

→ {"api-key": true, "db-password": false}


Tell the user (as text, do NOT execute):

> Please run: `agent-vault set db-password`

After user confirms:

```bash
agent-vault write config.yaml --content 'api_key: <agent-vault:api-key>
db_password: <agent-vault:db-password>
host: 0.0.0.0
port: 8080'

告知用户(仅文字说明,不要执行):

> 请运行:`agent-vault set db-password`

用户确认后:

```bash
agent-vault write config.yaml --content 'api_key: <agent-vault:api-key>
db_password: <agent-vault:db-password>
host: 0.0.0.0
port: 8080'

Example: modifying an existing config

示例:修改现有配置

bash
undefined
bash
undefined

Read current state

读取当前配置

agent-vault read config.yaml
agent-vault read config.yaml

1 api_key: agent-vault:api-key

1 api_key: agent-vault:api-key

2 db_password: agent-vault:db-password

2 db_password: agent-vault:db-password

3 port: 3000

3 port: 3000

Write updated version

写入更新后的版本

agent-vault write config.yaml --content 'api_key: agent-vault:api-key db_password: agent-vault:db-password port: 9090'
undefined
agent-vault write config.yaml --content 'api_key: agent-vault:api-key db_password: agent-vault:db-password port: 9090'
undefined

Example: write via heredoc (for longer content)

示例:通过here-document写入(适用于较长内容)

bash
agent-vault write docker-compose.yaml <<'EOF'
services:
  app:
    environment:
      API_KEY: <agent-vault:api-key>
      DB_PASSWORD: <agent-vault:db-password>
    ports:
      - "8080:8080"
EOF
bash
agent-vault write docker-compose.yaml <<'EOF'
services:
  app:
    environment:
      API_KEY: <agent-vault:api-key>
      DB_PASSWORD: <agent-vault:db-password>
    ports:
      - "8080:8080"
EOF