{"slug": "hasp-local-secret-broker", "title": "Hasp – Local Secret Broker", "summary": "Hasp launches a local secret broker that encrypts secrets in a single vault and grants short-lived, scoped access to apps and coding agents without exposing plaintext values. The tool uses Argon2id and AEAD encryption, runs entirely offline with no account or control plane, and supports MCP and CLI interfaces for agent integration.", "body_md": "# Hand the agent the keys.*Without actually handing it the keys.*\n\nA local broker that holds your secrets in one encrypted vault and hands them to apps and coding agents when needed, only inside the project boundary, only for the window you allow, and never as a value the agent can see.\n\n**Vault** 1 fileArgon2id · AEAD\n\n**Audit log** chained HMACappend-only\n\nat exec\n\n**hasp** brokerv1.0 · daemon\n\n11 enc.\n\n**Agent** MCP / CLI6 first-class\n\n**App** launcher on PATHenv · file · dotenv\n\n**Plaintext path** only inside the brokered child process\n\n**Cleartext at rest** never. memory only while unlocked\n\n## HASP core specifications\n\nenc\n\n### Streaming output redactor\n\nRaw, base64-std, base64-url, base32, hex (lower & upper), URL-encoded, JSON-escaped, HTML entity, double-percent, Unicode escape. Marker tokens preserve line counts.\n\nh\n\n### Hard grant ceiling\n\nOnce · session · window. Window accepts durations like 15m or 1h. The 24-hour ceiling is enforced inside the daemon. No policy can lift it.\n\n+1\n\n### First-class agent profiles\n\nclaude-code, codex-cli, cursor, aider, hermes, openclaw. A generic profile covers anything else that speaks MCP or runs a CLI.\n\ncloud\n\n### Local-first, end to end\n\nNo account. No control plane. Telemetry stays off unless you explicitly opt in. Works on a plane, in a SCIF, on a laptop with no network. Source-available critical path. Signed release with SBOM & SLSA.\n\n**Surface ***· the actual product, in three nouns*\n\n*· the actual product, in three nouns*\n\n**Noun 01**\n\n### Vault\n\nOne personal encrypted local store under your home directory. Argon2id with memory-hard parameters (64 MB · 3 iterations · 4 lanes). AEAD encryption at rest. All your secrets live here once.\n\n**Noun 02**\n\n### Apps\n\nNormal applications you connect to the vault: your dev server, your data tool, your CLI. After connecting, you launch them by name and the right values are present. Three delivery modes: env var, temp file 0600, temp dotenv outside the repo.\n\n**Noun 03**\n\n### Agents\n\nCoding agents you connect to the vault. After connecting, the agent works through hasp instead of around it. MCP tool surface returns references and metadata, not values. The agent never reads the value.\n\nSetup is explicit, once. *Runtime is invisible, every time after.*\n\n**Features ***· the whole local broker, organized by job*\n\n*· the whole local broker, organized by job*\n\n### One local trust boundary, four moving parts.\n\nHASP stays small on purpose: secrets live in one encrypted vault, repo roots define where they may be used, repo targets choose the workflow subset, apps and agents connect once, and short-lived grants deliver values only to a specific brokered run.\n\n- Vault\n- Encrypted local store of named secrets under\n`HASP_HOME`\n\n. - Repo\n- A bound project root plus optional value-free targets for workflow-specific delivery.\n- Agent\n- A connected app or coding agent that gets brokered access.\n- Grant\n- Short-lived, scoped permission to deliver a secret to one run.\n\n- Start and prove\n- Guided setup, repo bootstrap, first vault creation, health diagnosis, and the brokered first-proof check.\n`setup`\n\n`bootstrap`\n\n`init`\n\n`doctor`\n\n`proof`\n\n- Keep secrets named\n- Add, import, capture, update, reveal, copy, expose, and hide values without turning them into loose project files.\n`secret`\n\n`import`\n\n`set`\n\n`capture`\n\n- Bind the repo edge\n- Project roots become policy boundaries. Inspect requirements, list targets, adopt repos, unbind stale ones, and scan for leaked managed values.\n`project`\n\n`check-repo`\n\n- Run without revealing\n- Resolve env and file refs at exec time, or expand a manifest target. Convenience env files exist, but only as an explicit operator request.\n`run`\n\n`inject`\n\n`write-env`\n\n- Apps and agents\n- Connect app profiles and coding-agent profiles once. MCP and CLI surfaces return references and metadata, not secret values.\n`app`\n\n`agent`\n\n`mcp`\n\n- Lock, backup, restore\n- Lock session material, export encrypted backups, and restore a vault without making recovery a plaintext workflow.\n`vault`\n\n`export-backup`\n\n`restore-backup`\n\n- Runtime and grants\n- Start or inspect the daemon, open or revoke broker sessions, check reachability, and see current vault and daemon state.\n`daemon`\n\n`session`\n\n`status`\n\n`ping`\n\n- Evidence and maintenance\n- Print audit history, upgrade signed releases, generate completions and docs, report versions, and keep the deprecated TUI path visible.\n`audit`\n\n`upgrade`\n\n`completion`\n\n`docs`\n\n`version`\n\n`tui`\n\n**Outcomes ***· what stops being your problem*\n\n*· what stops being your problem*\n\n**Brokered run** hasp run · hasp inject\n\n**Process-tree-bound grant** once · session · window\n\n**Repo guardrails** scan · pre-commit · pre-push · deploy wrapper\n\n**Streaming redactor** across 11 encodings\n\n**One vault, many apps** launcher on PATH\n\n**Append-only audit** chained-hash HMAC\n\n**Fail-closed everywhere** no silent downgrade\n\n**The climate this arrives in ***· seven anchors from the last 30 days*\n\n*· seven anchors from the last 30 days*\n\n*nine seconds*\n\nA coding agent powered by a frontier model deleted a production database and its volume backups, on a single API call, after finding a credential in an unrelated file.\n\n[TechStartups](https://techstartups.com/2026/04/28/claude-powered-ai-coding-agent-deletes-production-database-and-backups-in-9-seconds/)\n\n*npm*\n\nA second-tier disclosure: a popular coding agent's settings file silently records environment variables and ships them inside published npm packages.\n\n[SecurityBrief](https://securitybrief.asia/story/claude-code-can-leak-secrets-in-public-npm-packages)\n\n*line*\n\nA third disclosure: a one-line command-injection bug in another agent lets a crafted repository steal the developer's active model API key on clone-and-open.\n\n[Check Point](https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/)\n\n*cloud bill*\n\nA developer woke up to an $82,000 cloud bill on a project that normally spent $180/month after a leaked key was harvested and wrung out in a cryptomining loop.\n\n[SecureStartKit](https://medium.com/@securestartkit/exposed-api-keys-how-ai-tools-leak-your-secrets-and-how-to-lock-them-down-8a201c3651da)\n\n*2025 leaks*\n\nGitGuardian counted 28.6 million new secrets exposed in public commits across 2025. AI-coding repos: 40% more likely to leak than the rest.\n\n[GitGuardian](https://blog.gitguardian.com/the-state-of-secrets-sprawl-2026/)\n\n*asking price*\n\nA supply-chain attack on an AI infrastructure provider exposed internal env vars and a database key, both reportedly listed for sale at $2M.\n\n[VentureBeat](https://venturebeat.com/security/vercel-breach-exposes-the-oauth-gap-most-security-teams-cannot-detect-scope-or-contain)\n\n*classic risk*\n\nPrompt injection gets attention because it's novel, but stolen credentials are a classic attack with way higher impact.\n\nSecurity community thread**Day in the life ***· three vignettes, three real failure modes*\n\n*· three vignettes, three real failure modes*\n\n### The .env that drifted\n\nThe agent rewrote a config file. You said yes. Three commits later you push and CI emails the team to say a Stripe key just landed in the diff.\n\n### The 9-second wipe\n\nThe agent finds a credential in a file you forgot was on disk. The token is over-scoped because nobody had time to fix it last quarter. The agent decides the cleanest fix is destructive, and the database and its volume backups are gone before your push notification arrives.\n\n### The pasted traceback\n\nThe agent crashed, dumped a traceback, and you copy-pasted the whole thing into a Slack channel to ask for help. Without hasp, the shape of your AWS access key is now in a Slack message, a Slack search index, and Slack's compliance log.\n\n## Install HASP\n\n### One signed binary. *One encrypted file. That is the whole product surface.*\n\nSource-available. SBOM, SLSA provenance, code-signing status, and reproducible-build sidecar ship inside the release artifact. `scripts/hasp-verify-release.sh`\n\nverifies the signed checksum manifest plus the tarball and binary signatures before install.\n\n**Homebrew**\n\n``` bash\n$ brew tap gethasp/tap\n$ brew install gethasp/tap/hasp\n$ hasp setup\n$ hasp app connect myapp\n$ hasp proof\n\n→ ok proof passed · 412ms\n→ ok vault unlocked · binding ./api\n→ ok agent never read\n```\n\n**From source**\n\n``` bash\n$ git clone https://github.com/gethasp/hasp\n$ cd hasp\n$ make build\n$ ./bin/hasp setup\n$ ./bin/hasp proof\n\n→ ok binary built from source\n→ ok vault initialized\n→ ok proof passed\n```\n\n**Install script**\n\n``` js\n$ curl -fsSL https://gethasp.com/install.sh | sh\n==> Checking installer prerequisites\n==> Downloading release artifacts\n==> Verifying release checksums and signatures\ninstalled hasp to ~/.local/bin/hasp\nversion: 1.0.37\nStart hasp setup now? [Y/n] y\n$ hasp app connect myapp\n$ hasp proof\n\n→ ok hasp installed on PATH\n→ ok vault unlocked · binding ./api\n→ ok agent never read\n```\n\n", "url": "https://wpnews.pro/news/hasp-local-secret-broker", "canonical_source": "https://gethasp.com/", "published_at": "2026-06-26 17:55:59+00:00", "updated_at": "2026-06-26 18:04:48.946939+00:00", "lang": "en", "topics": ["developer-tools", "ai-agents", "ai-safety", "ai-infrastructure"], "entities": ["Hasp", "Argon2id", "MCP", "CLI", "Claude Code", "Codex CLI", "Cursor", "Aider"], "alternates": {"html": "https://wpnews.pro/news/hasp-local-secret-broker", "markdown": "https://wpnews.pro/news/hasp-local-secret-broker.md", "text": "https://wpnews.pro/news/hasp-local-secret-broker.txt", "jsonld": "https://wpnews.pro/news/hasp-local-secret-broker.jsonld"}}