{"id":50769887,"url":"https://github.com/danieljustus/symaira-vault","last_synced_at":"2026-06-11T17:02:39.108Z","repository":{"id":354130173,"uuid":"1218343680","full_name":"danieljustus/symaira-vault","owner":"danieljustus","description":"šŸ” The password manager for terminal users and AI agents. Age-encrypted, keyring-cached, MCP-ready. Zero telemetry.","archived":false,"fork":false,"pushed_at":"2026-06-08T11:02:08.000Z","size":11903,"stargazers_count":18,"open_issues_count":4,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T12:10:28.502Z","etag":null,"topics":["age-encryption","agent-skills","ai-agents","claude-code","cli","codex-cli","golang","hermes-agent","hermes-skill","mcp","mcp-server","openclaw","openclaw-skill","opencode","own-your-data","password-manager","security"],"latest_commit_sha":null,"homepage":"https://symaira.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danieljustus.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-22T19:28:03.000Z","updated_at":"2026-06-08T11:02:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/danieljustus/symaira-vault","commit_stats":null,"previous_names":["danieljustus/openpass","danieljustus/symaira-vault"],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/danieljustus/symaira-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danieljustus%2Fsymaira-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danieljustus%2Fsymaira-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danieljustus%2Fsymaira-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danieljustus%2Fsymaira-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danieljustus","download_url":"https://codeload.github.com/danieljustus/symaira-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danieljustus%2Fsymaira-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34208761,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["age-encryption","agent-skills","ai-agents","claude-code","cli","codex-cli","golang","hermes-agent","hermes-skill","mcp","mcp-server","openclaw","openclaw-skill","opencode","own-your-data","password-manager","security"],"created_at":"2026-06-11T17:02:38.346Z","updated_at":"2026-06-11T17:02:39.091Z","avatar_url":"https://github.com/danieljustus.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Symaira Vault (ex. OpenPass)\n\n[![CI](https://github.com/danieljustus/symaira-vault/actions/workflows/ci.yml/badge.svg)](https://github.com/danieljustus/symaira-vault/actions/workflows/ci.yml)\n[![Release](https://img.shields.io/github/v/release/danieljustus/symaira-vault)](https://github.com/danieljustus/symaira-vault/releases/latest)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Go Reference](https://pkg.go.dev/badge/github.com/danieljustus/symaira-vault.svg)](https://pkg.go.dev/github.com/danieljustus/symaira-vault)\n[![Go Report Card](https://goreportcard.com/badge/github.com/danieljustus/symaira-vault)](https://goreportcard.com/report/github.com/danieljustus/symaira-vault)\n\n![Symaira Vault hero](docs/assets/symvault-hero.png)\n\nA modern, secure command-line password manager written in Go. Uses [age](https://age-encryption.org/) for encryption with built-in MCP server support for AI agent integration.\n\n![Symaira Vault demo](docs/assets/symvault-demo.gif)\n\n\u003e **Safety Notice**: Symaira Vault manages sensitive secrets. Use at your own risk, keep tested backups of your vault, and verify recovery before relying on it for critical credentials.\n\n## Features\n\n- **Modern Encryption**: [age](https://age-encryption.org/) (X25519 + ChaCha20-Poly1305)\n- **TOTP Support**: Store and generate TOTP codes\n- **Clipboard Auto-Clear**: Automatic clearing after timeout\n- **Autotype**: Cross-platform automatic password entry (macOS, Linux, Windows)\n- **Secret Execution**: Run commands with vault secrets injected as environment variables\n- **Session Caching**: OS keyring with 15-minute TTL\n- **Git Integration**: Automatic commits and sync\n- **Multi-User Vaults**: age recipients for shared access\n- **MCP Server**: stdio and HTTP for AI agent integration with scoped token management\n- **MCP Slash Commands**: `add-credential`, `rotate-credential`, `find-and-use`, `share-credential` ā€” guided workflows surfaced as slash commands in Claude Code, OpenCode, Hermes\n- **Native Secure-Input Dialog**: cross-platform popups (macOS osascript, Linux zenity/kdialog, Windows Get-Credential) for collecting credentials from agents without exposing them in chat\n- **Cross-Platform**: macOS, Linux, Windows, FreeBSD\n\n## Installation\n\n### Quick install\n\n**macOS / Linux:**\n```bash\ncurl -sSfL https://raw.githubusercontent.com/danieljustus/symaira-vault/main/scripts/install.sh | sh\n```\n\n**Windows:**\n```powershell\nirm https://raw.githubusercontent.com/danieljustus/symaira-vault/main/scripts/install.ps1 | iex\n```\n\n**Homebrew:**\n```bash\nbrew tap danieljustus/tap\nbrew install symvault\n```\n\n**Scoop:**\n```powershell\nscoop bucket add symvault https://github.com/danieljustus/scoop-bucket\nscoop install symvault\n```\n\n**Nix (Flake):**\n```bash\n# Run directly (no install needed)\nnix run github:danieljustus/symaira-vault\n\n# Or add as a flake input\n# flake.nix:\n# inputs.symvault.url = \"github:danieljustus/symaira-vault\";\n```\n\u003e **Note:** The flake is new. Go module dependencies are pinned via `vendorHash` in `flake.nix`. If updating dependencies, run `go mod vendor \u0026\u0026 nix hash path --sri vendor/` and update the hash.\n\n**Go:**\n```bash\ngo install github.com/danieljustus/symaira-vault@latest\n```\n\nFor manual downloads, Linux packages, release verification (including Cosign signature verification), and build-from-source instructions, see [docs/distribution.md](docs/distribution.md).\n\n| Platform | amd64 | arm64 | Install Methods |\n|----------|-------|-------|-----------------|\n| macOS | āœ“ | āœ“ | Quick install, Homebrew, Go, Manual |\n| Linux | āœ“ | āœ“ | Quick install, Homebrew, Go, Manual, deb/rpm/apk |\n| Windows | āœ“ | āœ“ | Quick install, Scoop, Go, Manual |\n| FreeBSD | āœ“ | āœ“ | Go, Manual |\n| NixOS / Nix | āœ“ | āœ“ | Nix flake (`nix run github:danieljustus/symaira-vault`) |\n\n## Quick Start\n\n```bash\n# Initialize vault\nsymvault init\n\n# Add a password\nsymvault add github\n# or non-interactive:\nsymvault set github.password --value \"mysecretpassword\"\n\n# Add TOTP metadata\nsymvault add github --totp-secret JBSWY3DPEHPK3PXP --totp-issuer GitHub\n\n# Retrieve (auto-copies to clipboard with 45s timeout)\nsymvault get github.password --clip\n\n# Autotype password into focused application (macOS/Linux/Windows)\nsymvault get github.password --autotype\n\n# Show entry details, including the current TOTP code when configured\nsymvault get github\n\n# List and search\nsymvault list\nsymvault find mybank\n\n# Generate secure passwords\nsymvault generate --length 32 --symbols\nsymvault generate --store newaccount.password --length 20 --symbols\n\n# Session management\nsymvault unlock # cache passphrase\nsymvault lock # clear cache\nsymvault auth status\nsymvault auth set touchid # macOS Touch ID unlock\nsymvault auth set passphrase # passphrase-only unlock\n\n# Interactive Terminal UI (Experimental)\nsymvault ui --experimental\n\n# Recipients for multi-user vaults\nsymvault recipients list\nsymvault recipients add age1...\n\n# Git sync\nsymvault git pull\nsymvault git push\n\n# Secret execution (injects vault secrets as env vars)\nsymvault run --env API_KEY=api.kimi-key -- curl -H \"Authorization: Bearer $API_KEY\" https://api.example.com\n\n# Backup/Restore\nsymvault backup ~/backups/symvault-$(date +%Y%m%d).tar.gz\nsymvault restore ~/backups/symvault-20260427.tar.gz\n```\n\nBackup archives contain encrypted vault files, identity material, config, and MCP tokens. Protect them like the vault itself and test restore before relying on backups.\n\n## Migration from other managers\n\nSymaira Vault can import from 1Password, Bitwarden, pass, and CSV exports:\n\n```bash\nsymvault import \u003cformat\u003e \u003csource\u003e\nsymvault import bitwarden ~/exports/bitwarden.json\nsymvault import pass ~/.password-store\n```\n\nSee [docs/migration.md](docs/migration.md) for export steps, format details, and verification guidance.\n\n## MCP Server\n\nSymaira Vault exposes an MCP server for AI agent integration:\n\n![Symaira Vault architecture](docs/assets/symvault-architecture.png)\n\n```bash\n# Stdio mode (recommended for local agents)\nsymvault serve --stdio --agent claude-code\n\n# HTTP mode\nsymvault serve --port 8080\n```\n\nUse `symvault mcp-config` to generate ready-to-paste client config:\n\n```bash\nsymvault mcp-config claude-code\nsymvault mcp-config claude-code --http\nsymvault mcp-config hermes --http --format hermes\n```\n\nHTTP mode binds to `127.0.0.1` by default and uses bearer token authentication. Agents can use the MCP `generate_totp` tool to get current TOTP codes without receiving the stored TOTP secret.\n\n**Scoped Token Management** (v2.2.0+): Create fine-grained access tokens for agents:\n```bash\nsymvault mcp token create --agent hermes --tools list_entries,get_entry --expires 24h\nsymvault mcp token list\nsymvault mcp token revoke \u003ctoken-id\u003e\n```\n\nFor detailed agent setup, profiles, token management, and observability, see [docs/agent-integration.md](docs/agent-integration.md).\n\n## Configuration\n\nGlobal config: `~/.symvault/config.yaml`. See [`config.yaml.example`](config.yaml.example) for a commented starting point.\n\nFor the full configuration reference, see [docs/configuration.md](docs/configuration.md).\n\n### Environment Variables\n\n- `SYMVAULT_VAULT` ā€” Path to vault directory (default: `~/.symvault`)\n\n### Vault Structure\n\n```\n~/.symvault/\nā”œā”€ā”€ identity.age # Encrypted age identity\nā”œā”€ā”€ config.yaml # Vault configuration\nā”œā”€ā”€ mcp-token # Bearer token for HTTP MCP\nā”œā”€ā”€ entries/ # Encrypted password entries\nā”‚ ā”œā”€ā”€ github.age\nā”‚ ā””ā”€ā”€ work/\nā”‚ ā””ā”€ā”€ aws.age\nā””ā”€ā”€ .git/ # Git repository\n```\n\n## Security\n\n- age encryption: X25519 + ChaCha20-Poly1305\n- Passphrase never stored in plain text\n- Session caching via OS keyring (15-minute TTL)\n- Each entry individually encrypted\n- Git history contains only ciphertext\n- HTTP MCP bound to `127.0.0.1` with bearer token auth\n- **No telemetry** (see [SECURITY.md](SECURITY.md#privacy--telemetry))\n\n## Documentation\n\n- [Configuration reference](docs/configuration.md)\n- [Agent integration](docs/agent-integration.md)\n- [MCP API](docs/mcp-api.md)\n- [Audit event schema](docs/audit-schema.md)\n- [Audit retention \u0026 integrity](docs/audit-retention.md)\n- [Distribution channels](docs/distribution.md)\n- [Troubleshooting](docs/troubleshooting.md)\n- [Architecture](ARCHITECTURE.md)\n- [Security policy](SECURITY.md)\n\n## Comparison\n\n\u003e _Last updated: May 2026. Features, pricing, and availability are subject to change. Please verify all details on the respective product's official website before making decisions._\n\u003e\n\u003e **Disclaimer:** All product names, logos, and brands referenced in this comparison are trademarks or registered trademarks of their respective owners. Use of these names is for identification and informational purposes only and does not imply endorsement, affiliation, or sponsorship. The information in this comparison is provided \"as is\" without warranty of any kind.\n\n| Feature | Symaira Vault | 1Password | Bitwarden | pass (zx2c4) | Sharing with AI Agents in Chat |\n|---------|----------|-----------|-----------|--------------|-------------------------------|\n| **Encryption** | age (X25519 + ChaCha20-Poly1305) | AES-256 | AES-256 | GPG | None (plaintext) |\n| **Primary Interface** | Terminal-first | GUI-first (CLI available) | GUI-first (CLI available) | Terminal-only | Chat interface |\n| **AI Integration** | MCP server (stdio + HTTP) with scoped tokens | Agentic Autofill, SDKs for AI agents | MCP server, Agent Access SDK | No AI integration | Paste secrets into prompts |\n| **Pricing** | Free (MIT) | Subscription ($47.88/yr Individual) | Freemium / Subscription ($19.80/yr Premium) | Free (GPL) | Free (but risky) |\n| **Sync** | Git (built-in) | Cloud (1Password servers) | Cloud (Bitwarden servers) or self-host | Git (automatic commits) | Manual copy-paste |\n| **Self-hosting** | Full control (local vault + git) | Partial (Connect Server, SCIM Bridge) | Yes (official Docker/K8s or Vaultwarden) | Full control | N/A |\n| **Open Source** | Yes (MIT) | Partial (SDKs open, core proprietary) | Mostly (core GPL/AGPL, Enterprise Bitwarden License) | Yes (GPLv2+) | N/A |\n| **TOTP** | Built-in | Built-in | Premium feature | Extension only | Manual entry |\n| **Autotype** | Built-in (cross-platform) | Built-in (Windows Auto-Type, macOS Universal Autofill) | Browser autofill only (desktop autotype in development) | No built-in | Manual entry |\n| **Secret Execution** | Built-in (`symvault run`) | Built-in (`op run`) | Built-in (`bws run`) | No built-in | Not applicable |\n| **Session Caching** | OS keyring (15m TTL) | Biometric unlock, Magic Unlock, SSO | Biometric unlock, PIN, `BW_SESSION` token | gpg-agent | None |\n| **Git Integration** | Built-in | SSH agent, commit signing | SSH agent, GitHub Actions, GitLab CI | Built-in (automatic commits) | No |\n| **MCP Server** | Built-in (stdio + HTTP) | Community (official: no raw secrets via MCP) | Official (`bitwarden-mcp`) | No | No |\n| **Password Generation** | Built-in | Built-in | Built-in | Built-in | Manual / ad-hoc |\n| **Cross-Platform** | macOS, Linux, Windows, FreeBSD | macOS, Linux, Windows, mobile | macOS, Linux, Windows, mobile, web | Unix-like (Linux, macOS, FreeBSD) | Any chat platform |\n| **Telemetry** | **None** | Opt-in (personal), on-by-default (business) | Administrative data only (vault zero-knowledge) | None | Logged by chat providers |\n| **Entry Format** | Individual encrypted files | Proprietary database (1PUX export documented) | Encrypted JSON / SQLite | Individual encrypted files | Plaintext in chat history |\n\n**Symaira Vault differentiators:**\n\n- **Terminal-native**: Designed for keyboard-driven workflows without GUI dependency\n- **Modern encryption**: age instead of GPG ā€” simpler key management, no web of trust\n- **MCP-ready**: Native AI agent integration via Model Context Protocol with scoped tokens and audit logging\n- **Zero telemetry**: No analytics, no cloud dependency, no account required\n- **Built-in utilities**: TOTP, autotype, secret execution, and password generation without external tools\n- **Git-native**: Automatic sync with full version history of encrypted entries\n\n\u003e **Security note on AI agent chat sharing**: Pasting passwords into chat interfaces exposes secrets in plaintext chat history, model training logs, and provider databases. Unlike Symaira Vault's MCP integration ā€” which keeps credentials encrypted and uses scoped tokens with audit logging ā€” chat sharing provides no access control, rotation, or revocation capabilities.\n\n## Dependencies\n\n- Go 1.26.4 or later\n- [filippo.io/age](https://pkg.go.dev/filippo.io/age) ā€” encryption\n- [spf13/cobra](https://github.com/spf13/cobra) ā€” CLI framework\n- [zalando/go-keyring](https://github.com/zalando/go-keyring) ā€” OS keyring\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and PR process.\n\n### Testing\n\n```bash\n# Run all tests with race detector (recommended for local validation)\nmake test\n\n# Run tests without race detector (faster, for quick iteration)\nmake test-fast\n\n# Run specific package tests\ngo test ./internal/vault/... -v\n```\n\nTests include the Go race detector by default via `make test` to catch concurrency issues early. Use `make test-fast` when iterating quickly and you want a faster feedback loop without the race detector penalty.\n\nSome tests are skipped automatically:\n\n- **Slow tests** (`-short` flag): Flow and binary e2e tests skip in short mode. Run without `-short` to execute them.\n- **Headless CI**: Tests requiring the OS keyring (session caching) skip when no keyring backend is available (e.g., containerized or headless CI). These are environment-dependent and not failures.\n\n## License\n\nMIT License\n\n## Acknowledgments\n\n- Inspired by [pass](https://www.passwordstore.org/) from zx2c4\n- MCP support via [mark3labs/mcp-go](https://github.com/mark3labs/mcp-go)\n\n## Disclaimer\n\nUse at your own risk. Always keep tested backups of your vault.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanieljustus%2Fsymaira-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanieljustus%2Fsymaira-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanieljustus%2Fsymaira-vault/lists"}