agent-vault 命令

常用示例

说明

agent-vault is an HTTP credential proxy and vault designed to keep secrets away from AI agents while still letting them call authenticated APIs. Instead of handing raw API keys or tokens to the agent process, Agent Vault runs the agent as a child process with HTTPS_PROXY pointed at a local TLS-terminating proxy. The proxy injects the correct credentials into outbound HTTPS requests for allowed destinations, so the agent never sees the secret itself. The server exposes an HTTP API on port 14321 (where credentials, policies, and sessions are managed via a web UI) and a transparent HTTPS proxy on port 14322. The agent-vault vault run -- <command> wrapper spawns a short-lived scoped session, sets HTTPS_PROXY and the proxy's CA certificate in the child's environment, and tears the session down when the command exits. This reduces the blast radius of a compromised or misbehaving agent: even if the agent is tricked into exfiltration, it cannot leak credentials it never held.

参数

server

Start the HTTP API (default port 14321) and the TLS-encrypted transparent HTTPS proxy (default port 14322).

server -d, --daemon

Run the server in the background as a daemon.

server stop

Stop a running server daemon.

vault run -- _command_

Execute _command_ with credential brokering enabled. Automatically creates a scoped session, injects HTTPS_PROXY and CA-trust environment variables, and transparently proxies outgoing HTTPS requests.

--config _FILE_

Use an alternative configuration file.

--port _PORT_

Override the HTTP API port (default 14321).

--proxy-port _PORT_

Override the HTTPS proxy port (default 14322).

--version

Print the Agent Vault version and exit.

--help

Show help for Agent Vault or for a specific subcommand.