EnigmAgent MCP server — AES-256-GCM encrypted vault for AI agents via MCP protocol
enigmagent-mcp
Local encrypted vault MCP server. Your LLM types
{{OPENAI_KEY}}. The real value never reaches the model — not in prompts, not in logs, not in conversation history.
npx enigmagent-mcp --vault ./my.vault.json
That's the entire install. Works with Claude Desktop, Cursor, Continue.dev, Cline, Open WebUI, AnythingLLM, LM Studio, Zed, and anything else that speaks MCP.
⭐ Star this repo if you've ever pasted a token you regretted.
The 30-second pitch
You ask Claude to call your GitHub API. Claude needs GITHUB_TOKEN. Three options that all suck:
- Paste it in the chat → it lives in the provider's logs forever
- Put it in env vars → it leaks the moment Claude reads
.envwhile debugging - Skip the agent → you lose the whole point
Option 4: type {{GITHUB_TOKEN}} in the prompt. EnigmAgent intercepts at the MCP boundary, decrypts locally with AES-256-GCM, and returns the real token only when the requesting origin matches the secret's bound domain. The model literally never has the value.
Setup per client
Claude Desktop
~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"enigmagent": {
"command": "npx",
"args": ["-y", "enigmagent-mcp", "--vault", "/absolute/path/to/my.vault.json"]
}
}
}
Restart Claude. Two new tools appear: enigmagent_resolve and enigmagent_list.
Cursor
~/.cursor/mcp.json:
{
"mcpServers": {
"enigmagent": {
"command": "npx",
"args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
}
}
}
Continue.dev
~/.continue/config.yaml:
mcpServers:
- name: enigmagent
command: npx
args: ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
Cline (VS Code)
cline_mcp_settings.json:
{
"mcpServers": {
"enigmagent": {
"command": "npx",
"args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
}
}
}
Open WebUI
# uses mcpo (https://github.com/open-webui/mcpo) as bridge
mcpo --port 8000 -- npx enigmagent-mcp --vault /abs/path/my.vault.json
Custom REST integration
npx enigmagent-mcp --mode rest --port 3737 --vault /abs/path/my.vault.json
Then POST /resolve with {"placeholder": "OPENAI_KEY", "origin": "https://api.openai.com"} returns the decrypted value (only when the origin matches the secret's bound domain).
CI / headless mode
Skip the interactive password prompt with env vars (only do this in trusted environments):
ENIGMAGENT_USER=alice ENIGMAGENT_PASS=… npx enigmagent-mcp --vault ./my.vault.json
Without these, the server starts in locked mode if there's no TTY — useful behind mcp-proxy and similar wrappers.
MCP tools exposed
| Tool | Description |
|---|---|
| enigmagent_resolve | Resolve a placeholder to its vault value. Domain binding enforced — the requesting origin must match the secret's bound domain |
| enigmagent_list | List secret names + their bound domains. Never returns values |
// example tool call
{
"name": "enigmagent_resolve",
"arguments": {
"placeholder": "GITHUB_TOKEN",
"origin": "https://api.github.com"
}
}
// → returns the decrypted token string
How it works
LLM emits tool call: fetch({headers: {Authorization: "Bearer {{OPENAI_KEY}}"}})
│
┌───────────────▼───────────────┐
│ enigmagent-mcp (this server) │
│ • match placeholder name │
│ • check origin == bound dom. │
│ • decrypt with AES-256-GCM │
└───────────────┬───────────────┘
│ real token
▼
HTTPS to api.openai.com
The plaintext value exists in process memory for one event-loop tick. Never logged, never in stdout, never visible to the model.
Security model
| Layer | Implementation |
|---|---|
| KDF | Argon2id (m=64 MiB, t=3, p=1) — @noble/hashes@1.4.0, bundled |
| Encryption | AES-256-GCM, 96-bit nonce per entry |
| Domain binding | Every secret pinned to a domain; resolver rejects mismatched origins |
| Master key | Lives in process memory only — never written to disk |
| Vault file | Encrypted JSON, plaintext never persisted |
What it does not protect against: a compromised process reading session memory, a malicious MCP server you've connected to with permission to call enigmagent_resolve, side-channels (timing, swap, core dumps). Full threat model: docs/THREAT_MODEL.md.
Full ecosystem
This repo is the MCP server alone. The full EnigmAgent project includes:
- Browser extension (Chrome/Firefox/Edge) for credentials inside web forms
- Python SDK for LangChain / LlamaIndex / CrewAI
- REST + stdio dual-mode API
- Domain-bound document injection (
{{DOC:filename}})
Main repository: https://github.com/Agnuxo1/EnigmAgent
EnigmAgent is part of the OpenCLAW / P2PCLAW ecosystem of privacy-preserving local AI tooling — a multi-agent scientific research network where dozens of LLM agents need credentials and none of them should have them.
License
MIT — see LICENSE.
Contributing
Pull requests welcome. Security disclosures: see SECURITY.md in the main repo.