Zero-Knowledge Secrets Broker

Secrets stay secret.Agents stay powerful.

Opaque is a local approval-gated secrets broker for AI coding tools. LLMs get operations — never plaintext values.

Get Started GitHub
$curl -fsSL https://opaque.dev/install.sh | sh
Policy
Approval
Execute
Sanitize
Audit
The Problem

AI agents need secrets.
They shouldn't see them.

Most secret-consuming workflows are write-only from the agent's perspective. Agents don't need plaintext — they just need to request the operation.

Plaintext Leaks

Environment variables and config files expose secrets directly to LLM context windows. One hallucination away from leaking credentials.

No Approval Gate

AI agents act on secrets without human confirmation. There's no biometric check, no intent dialog — just blind trust in a probabilistic model.

Zero Auditability

When something goes wrong, there's no record of which agent accessed what secret, when, or why. Incident response starts from zero.

How It Works

Five stages. No bypass paths.

Every operation passes through a strict five-stage pipeline enforced by Rust's type system. There are no shortcuts.

1

Policy Check

Deny-by-default engine evaluates allowlist rules matching on operation name, client identity, and target fields.

2

Native OS Approval

Touch ID on macOS or polkit on Linux. Real biometric or password confirmation for every sensitive operation.

3

Secure Execution

Operations run inside a trusted daemon. Secrets are resolved from providers and used — but never returned to the caller.

4

Typestate Sanitization

Rust's type system guarantees only sanitized responses can reach clients. Regex-based scrubbing adds defense in depth.

5

Structured Audit

Every operation is logged to SQLite with correlation IDs, full-text search, and real-time streaming via SSE.

policy.toml
# Deny-by-default: only listed operations are allowed

[[rules]]
name     = "Allow GitHub secret sync"
operations = ["github.set_secret", "github.list_secrets"]
clients  = ["claude-code"]
effect   = "allow"
approval = "biometric"

[[rules]]
name     = "Allow Vault reads"
operations = ["vault.get_secret"]
clients  = ["*"]
effect   = "allow"
approval = "lease"
lease_ttl = 300
Features

Built for production security.

Every feature exists to keep secrets out of LLM context while maximizing agent capabilities.

Typestate Sanitization

Rust's type system makes it a compile-time error to return unsanitized responses. Not a convention — a guarantee.

Touch ID / Polkit

Native OS approval for every sensitive operation. Touch ID on macOS, polkit on Linux. Real biometric trust.

MCP Integration

First-class Model Context Protocol server. Claude Code sees Opaque operations as native tools — zero configuration.

Approval Leases

Approve once, reuse the lease. Prevents approval fatigue without compromising security. Configurable TTL per rule.

Real-Time Audit

Every operation logged to SQLite with correlation IDs and full-text search. Live streaming via Server-Sent Events.

Client Identity

Unix peer credentials + executable SHA-256 hash + optional macOS Team ID. Know exactly which process is asking.

Integrations

Your secrets. Wherever they live.

Opaque connects to the providers you already use. Resolve secrets from any source with a unified reference scheme.

GitHub
GitLab
1P 1Password
Bitwarden
HCV Vault
AWS
Azure
GCP

Plus macOS Keychain · Linux secret-tool · Environment variables · Execution profiles

Operations

Operations, not secrets.

Agents invoke named operations with safety classifications. The daemon resolves secrets internally and returns only sanitized results.

OperationProviderDescriptionSafety
github.set_secretGitHubSet an Actions, Codespaces, or Dependabot secretSensitive
github.list_secretsGitHubList secret names (never values) for a repositorySafe
gitlab.set_variableGitLabSet a CI/CD variable with full options (protected, masked)Sensitive
vault.get_secretVaultRead a KV v1/v2 secret with lease-aware cachingSensitive
vault.put_secretVaultWrite a secret to Vault KV storeDangerous
onepassword.get_item1PasswordRetrieve an item from a 1Password vaultSensitive
bitwarden.get_secretBitwardenFetch a secret via Bitwarden Secrets ManagerSensitive
sandbox.execSystemExecute a command with injected secrets in a sandboxDangerous
test.noopSystemNo-op for testing the pipeline end-to-endSafe

“AI coding tools and strong security
are not at odds.

The Opaque Manifesto

Get Started

Up and running
in sixty seconds.

1

Install

Single-line install script, or build from source with cargo install.

2

Configure

Run opaque init to generate a policy file and set up your first provider.

3

Connect

Add the MCP server to Claude Code. Agent tools appear automatically.

terminal
# Install Opaque
$ curl -fsSL https://opaque.dev/install.sh | sh

# Initialize configuration
$ opaque init
  Creating ~/.opaque/config.toml...
  Generating web dashboard token...
  Done! Run `opaqued` to start the daemon.

# Start the daemon
$ opaqued
  Listening on /tmp/opaque.sock
  Web dashboard: http://127.0.0.1:7380
  Policy loaded: 3 rules, 0 warnings

# Add to Claude Code
$ opaque mcp install
  MCP server registered with Claude Code
  Available tools: 9 operations

Ready to keep secrets out of context?

Open source under Apache-2.0. Works on macOS and Linux. Built with Rust.

View on GitHub Read the Docs