agent-vault-sdk 0.1.0

Zero-trust credential manager for AI agents — Python SDK

agent-vault Python SDK

Read-only Python SDK for agent-vault — a zero-trust credential manager for AI agents.

Installation

pip install agent-vault

# With MCP server support:
pip install 'agent-vault[mcp]'

Quick Start

from agent_vault import Vault

vault = Vault(
    repo_path="/path/to/vault",
    key_path="~/.agent-vault/agents/my-agent.key",
)

# Pull latest and decrypt
api_key = vault.get("stripe/api-key")

Key Resolution

The SDK resolves the identity key in this order:

1. key_str= parameter (raw key string)
2. key_path= parameter (path to key file)
3. AGENT_VAULT_KEY environment variable (key as string)
4. ~/.agent-vault/owner.key (default owner key)

API

Vault(repo_path, key_path=None, key_str=None, auto_pull=True)

Create a read-only vault connection.

• repo_path: Path to the Git repo containing .agent-vault/
• key_path: Path to an age private key file
• key_str: Raw age private key string
• auto_pull: Git pull before each get() (default: True)

vault.get(secret_path) -> str

Decrypt and return a secret. Raises SecretNotFoundError or NotAuthorizedError.

vault.list_secrets(group=None) -> list[SecretMetadata]

List secret metadata without decrypting.

vault.list_agents() -> list[dict]

List agents and their group memberships.

vault.pull()

Manually pull latest changes from Git remote.

vault.reload()

Reload the manifest from disk (e.g., after a pull).

MCP Server

The package includes an MCP server for use with MCP-compatible AI agents:

agent-vault-mcp --repo /path/to/vault --key ~/.agent-vault/agents/my-agent.key

This runs a stdio-based MCP server exposing:

• agent_vault_get(secret) — retrieve and decrypt a secret
• agent_vault_list(group?) — list available secrets

Claude Desktop Configuration

{
  "mcpServers": {
    "agent-vault": {
      "command": "agent-vault-mcp",
      "args": ["--repo", "/path/to/vault", "--key", "/path/to/agent.key"]
    }
  }
}