hasp - local secret broker

hasp is an AI-agent security tool that acts as a local secret broker, holding your credentials in one encrypted vault and handing them to apps and coding agents only when needed, without exposing the values to the agent's context. It targets developers using AI coding agents who want to prevent API keys and tokens from leaking into prompts, logs, or model context windows. Secrets live in a single local vault encrypted with Argon2id and AEAD, and hasp delivers them only to the executing process — bound to the process tree and the project boundary — under a hard 24-hour grant ceiling. A streaming output redactor scrubs secret values across 11 encoding formats so they don't surface in agent output, and a tamper-evident, append-only audit log chained with HMAC records every access. It ships first-class profiles for six-plus agents including Claude Code, Cursor, and Aider, plus repo guardrails that scan on pre-commit and pre-push. The design is local-first with no cloud dependency and fails closed — refusing an operation rather than downgrading security — making it suited to teams that let coding agents run real commands but can't risk plaintext credential exposure.

Securely supplying secrets to AI coding agents and apps without exposing the credential values.