enigmagent-mcp

Local encrypted vault MCP server. Your LLM types {{OPENAI_KEY}}. The real value never reaches the model — not in prompts, not in logs, not in conversation history.

npx enigmagent-mcp --vault ./my.vault.json

That's the entire install. Works with Claude Desktop, Cursor, Continue.dev, Cline, Open WebUI, AnythingLLM, LM Studio, Zed, and anything else that speaks MCP.

⭐ Star this repo if you've ever pasted a token you regretted.

---

The 30-second pitch

You ask Claude to call your GitHub API. Claude needs GITHUB_TOKEN. Three options that all suck:

1. Paste it in the chat → it lives in the provider's logs forever
2. Put it in env vars → it leaks the moment Claude reads .env while debugging
3. Skip the agent → you lose the whole point

Option 4: type {{GITHUB_TOKEN}} in the prompt. EnigmAgent intercepts at the MCP boundary, decrypts locally with AES-256-GCM, and returns the real token only when the requesting origin matches the secret's bound domain. The model literally never has the value.

---

Setup per client

Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/absolute/path/to/my.vault.json"]
    }
  }
}

Restart Claude. Two new tools appear: enigmagent_resolve and enigmagent_list.

Cursor

~/.cursor/mcp.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Continue.dev

~/.continue/config.yaml:

mcpServers:
  - name: enigmagent
    command: npx
    args: ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]

Cline (VS Code)

cline_mcp_settings.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Open WebUI

# uses mcpo (https://github.com/open-webui/mcpo) as bridge
mcpo --port 8000 -- npx enigmagent-mcp --vault /abs/path/my.vault.json

Custom REST integration

npx enigmagent-mcp --mode rest --port 3737 --vault /abs/path/my.vault.json

Then POST /resolve with {"placeholder": "OPENAI_KEY", "origin": "https://api.openai.com"} returns the decrypted value (only when the origin matches the secret's bound domain).

---

CI / headless mode

Skip the interactive password prompt with env vars (only do this in trusted environments):

ENIGMAGENT_USER=alice ENIGMAGENT_PASS=… npx enigmagent-mcp --vault ./my.vault.json

Without these, the server starts in locked mode if there's no TTY — useful behind mcp-proxy and similar wrappers.

---

MCP tools exposed

Tool	Description
enigmagent_resolve	Resolve a placeholder to its vault value. Domain binding enforced — the requesting origin must match the secret's bound domain
enigmagent_list	List secret names + their bound domains. Never returns values

// example tool call
{
  "name": "enigmagent_resolve",
  "arguments": {
    "placeholder": "GITHUB_TOKEN",
    "origin": "https://api.github.com"
  }
}
// → returns the decrypted token string

---

How it works

LLM emits tool call:  fetch({headers: {Authorization: "Bearer {{OPENAI_KEY}}"}})
                                                              │
                                              ┌───────────────▼───────────────┐
                                              │  enigmagent-mcp (this server) │
                                              │  • match placeholder name     │
                                              │  • check origin == bound dom. │
                                              │  • decrypt with AES-256-GCM   │
                                              └───────────────┬───────────────┘
                                                              │  real token
                                                              ▼
                                                    HTTPS to api.openai.com

The plaintext value exists in process memory for one event-loop tick. Never logged, never in stdout, never visible to the model.

---

Security model

Layer	Implementation
KDF	Argon2id (m=64 MiB, t=3, p=1) — @noble/hashes@1.4.0, bundled
Encryption	AES-256-GCM, 96-bit nonce per entry
Domain binding	Every secret pinned to a domain; resolver rejects mismatched origins
Master key	Lives in process memory only — never written to disk
Vault file	Encrypted JSON, plaintext never persisted

What it does not protect against: a compromised process reading session memory, a malicious MCP server you've connected to with permission to call enigmagent_resolve, side-channels (timing, swap, core dumps). Full threat model: docs/THREAT_MODEL.md.

---

Full ecosystem

This repo is the MCP server alone. The full EnigmAgent project includes:

• Browser extension (Chrome/Firefox/Edge) for credentials inside web forms
• Python SDK for LangChain / LlamaIndex / CrewAI
• REST + stdio dual-mode API
• Domain-bound document injection ({{DOC:filename}})

Main repository: https://github.com/Agnuxo1/EnigmAgent

EnigmAgent is part of the OpenCLAW / P2PCLAW ecosystem of privacy-preserving local AI tooling — a multi-agent scientific research network where dozens of LLM agents need credentials and none of them should have them.

---

License

MIT — see LICENSE.

Contributing

Pull requests welcome. Security disclosures: see SECURITY.md in the main repo.

— Francisco Angulo de Lafuente