A local broker that holds your secrets in one encrypted vault and hands them to apps and coding agents when needed, only inside the project boundary, only for the window you allow, and never as a value the agent can see.
Vault 1 fileArgon2id · AEAD
Audit log chained HMACappend-only
at exec
hasp brokerv1.0 · daemon
11 enc.
Agent MCP / CLI6 first-class
App launcher on PATHenv · file · dotenv
Plaintext path only inside the brokered child process
Cleartext at rest never. memory only while unlocked
HASP core specifications #
enc
Streaming output redactor
Raw, base64-std, base64-url, base32, hex (lower & upper), URL-encoded, JSON-escaped, HTML entity, double-percent, Unicode escape. Marker tokens preserve line counts.
h
Hard grant ceiling
Once · session · window. Window accepts durations like 15m or 1h. The 24-hour ceiling is enforced inside the daemon. No policy can lift it.
+1
First-class agent profiles
claude-code, codex-cli, cursor, aider, hermes, openclaw. A generic profile covers anything else that speaks MCP or runs a CLI.
cloud
Local-first, end to end
No account. No control plane. Telemetry stays off unless you explicitly opt in. Works on a plane, in a SCIF, on a laptop with no network. Source-available critical path. Signed release with SBOM & SLSA.
**Surface **· the actual product, in three nouns
· the actual product, in three nouns
Noun 01
Vault
One personal encrypted local store under your home directory. Argon2id with memory-hard parameters (64 MB · 3 iterations · 4 lanes). AEAD encryption at rest. All your secrets live here once.
Noun 02
Apps
Normal applications you connect to the vault: your dev server, your data tool, your CLI. After connecting, you launch them by name and the right values are present. Three delivery modes: env var, temp file 0600, temp dotenv outside the repo.
Noun 03
Agents
Coding agents you connect to the vault. After connecting, the agent works through hasp instead of around it. MCP tool surface returns references and metadata, not values. The agent never reads the value.
Setup is explicit, once. Runtime is invisible, every time after.
**Features **· the whole local broker, organized by job
· the whole local broker, organized by job
One local trust boundary, four moving parts.
HASP stays small on purpose: secrets live in one encrypted vault, repo roots define where they may be used, repo targets choose the workflow subset, apps and agents connect once, and short-lived grants deliver values only to a specific brokered run.
- Vault
- Encrypted local store of named secrets under
HASP_HOME
. - Repo
-
A bound project root plus optional value-free targets for workflow-specific delivery.
-
Agent
-
A connected app or coding agent that gets brokered access.
-
Grant
-
Short-lived, scoped permission to deliver a secret to one run.
-
Start and prove
-
Guided setup, repo bootstrap, first vault creation, health diagnosis, and the brokered first-proof check.
setup
bootstrap
init
doctor
proof
- Keep secrets named
- Add, import, capture, update, reveal, copy, expose, and hide values without turning them into loose project files.
secret
import
set
capture
- Bind the repo edge
- Project roots become policy boundaries. Inspect requirements, list targets, adopt repos, unbind stale ones, and scan for leaked managed values.
project
check-repo
- Run without revealing
- Resolve env and file refs at exec time, or expand a manifest target. Convenience env files exist, but only as an explicit operator request.
run
inject
write-env
- Apps and agents
- Connect app profiles and coding-agent profiles once. MCP and CLI surfaces return references and metadata, not secret values.
app
agent
mcp
- Lock, backup, restore
- Lock session material, export encrypted backups, and restore a vault without making recovery a plaintext workflow.
vault
export-backup
restore-backup
- Runtime and grants
- Start or inspect the daemon, open or revoke broker sessions, check reachability, and see current vault and daemon state.
daemon
session
status
ping
- Evidence and maintenance
- Print audit history, upgrade signed releases, generate completions and docs, report versions, and keep the deprecated TUI path visible.
audit
upgrade
completion
docs
version
tui
**Outcomes **· what stops being your problem
· what stops being your problem
Brokered run hasp run · hasp inject
Process-tree-bound grant once · session · window
Repo guardrails scan · pre-commit · pre-push · deploy wrapper
Streaming redactor across 11 encodings
One vault, many apps launcher on PATH
Append-only audit chained-hash HMAC
Fail-closed everywhere no silent downgrade
**The climate this arrives in **· seven anchors from the last 30 days
· seven anchors from the last 30 days
nine seconds
A coding agent powered by a frontier model deleted a production database and its volume backups, on a single API call, after finding a credential in an unrelated file.
npm
A second-tier disclosure: a popular coding agent's settings file silently records environment variables and ships them inside published npm packages.
line
A third disclosure: a one-line command-injection bug in another agent lets a crafted repository steal the developer's active model API key on clone-and-open.
cloud bill
A developer woke up to an $82,000 cloud bill on a project that normally spent $180/month after a leaked key was harvested and wrung out in a cryptomining loop.
2025 leaks
GitGuardian counted 28.6 million new secrets exposed in public commits across 2025. AI-coding repos: 40% more likely to leak than the rest.
asking price
A supply-chain attack on an AI infrastructure provider exposed internal env vars and a database key, both reportedly listed for sale at $2M.
classic risk
Prompt injection gets attention because it's novel, but stolen credentials are a classic attack with way higher impact.
Security community thread**Day in the life **· three vignettes, three real failure modes
· three vignettes, three real failure modes
The .env that drifted
The agent rewrote a config file. You said yes. Three commits later you push and CI emails the team to say a Stripe key just landed in the diff.
The 9-second wipe
The agent finds a credential in a file you forgot was on disk. The token is over-scoped because nobody had time to fix it last quarter. The agent decides the cleanest fix is destructive, and the database and its volume backups are gone before your push notification arrives.
The pasted traceback
The agent crashed, dumped a traceback, and you copy-pasted the whole thing into a Slack channel to ask for help. Without hasp, the shape of your AWS access key is now in a Slack message, a Slack search index, and Slack's compliance log.
Install HASP #
One signed binary. One encrypted file. That is the whole product surface.
Source-available. SBOM, SLSA provenance, code-signing status, and reproducible-build sidecar ship inside the release artifact. scripts/hasp-verify-release.sh
verifies the signed checksum manifest plus the tarball and binary signatures before install.
Homebrew
$ brew tap gethasp/tap
$ brew install gethasp/tap/hasp
$ hasp setup
$ hasp app connect myapp
$ hasp proof
→ ok proof passed · 412ms
→ ok vault unlocked · binding ./api
→ ok agent never read
From source
$ git clone https://github.com/gethasp/hasp
$ cd hasp
$ make build
$ ./bin/hasp setup
$ ./bin/hasp proof
→ ok binary built from source
→ ok vault initialized
→ ok proof passed
Install script
$ curl -fsSL https://gethasp.com/install.sh | sh
==> Checking installer prerequisites
==> Down release artifacts
==> Verifying release checksums and signatures
installed hasp to ~/.local/bin/hasp
version: 1.0.37
Start hasp setup now? [Y/n] y
$ hasp app connect myapp
$ hasp proof
→ ok hasp installed on PATH
→ ok vault unlocked · binding ./api
→ ok agent never read