{"id":50620996,"url":"https://github.com/keton-id/cora","last_synced_at":"2026-06-13T19:01:06.572Z","repository":{"id":360427624,"uuid":"1249741990","full_name":"keton-id/cora","owner":"keton-id","description":"Zero-knowledge secret injection for AI agents. Written in Zig.","archived":false,"fork":false,"pushed_at":"2026-06-06T11:08:35.000Z","size":381,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-06T12:21:40.491Z","etag":null,"topics":["zig","zig-package","ziglang"],"latest_commit_sha":null,"homepage":"http://cora.keton.id/","language":"Zig","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keton-id.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":"AUDIT_REPORT.md","citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-26T02:09:46.000Z","updated_at":"2026-06-06T11:08:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/keton-id/cora","commit_stats":null,"previous_names":["keton-id/cora"],"tags_count":38,"template":false,"template_full_name":null,"purl":"pkg:github/keton-id/cora","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keton-id%2Fcora","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keton-id%2Fcora/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keton-id%2Fcora/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keton-id%2Fcora/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keton-id","download_url":"https://codeload.github.com/keton-id/cora/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keton-id%2Fcora/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34296383,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["zig","zig-package","ziglang"],"created_at":"2026-06-06T12:00:38.975Z","updated_at":"2026-06-13T19:01:06.567Z","avatar_url":"https://github.com/keton-id.png","language":"Zig","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cora 🤫\n\n[![CI](https://github.com/keton-id/cora/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/keton-id/cora/actions/workflows/ci.yml)\n[![License: AGPL-3.0-only](https://img.shields.io/badge/License-AGPL--3.0--only-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/keton-id/cora/pulls)\n\n**Stable latest**\n\n[![macOS](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/keton-id/cora/main/.github/badges/stable-macos.json)](https://github.com/keton-id/cora/releases?q=cora-macos-)\n[![Linux](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/keton-id/cora/main/.github/badges/stable-linux.json)](https://github.com/keton-id/cora/releases?q=cora-linux-)\n[![Windows](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/keton-id/cora/main/.github/badges/stable-windows.json)](https://github.com/keton-id/cora/releases?q=cora-windows-)\n\n**Pre-release latest**\n\n[![macOS](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/keton-id/cora/main/.github/badges/prerelease-macos.json)](https://github.com/keton-id/cora/releases?q=cora-macos-)\n[![Linux](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/keton-id/cora/main/.github/badges/prerelease-linux.json)](https://github.com/keton-id/cora/releases?q=cora-linux-)\n[![Windows](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/keton-id/cora/main/.github/badges/prerelease-windows.json)](https://github.com/keton-id/cora/releases?q=cora-windows-)\n\n\u003c!--\nPer-OS version badges auto-update from repo-managed JSON files. The release\nworkflow regenerates both `stable` and `pre-release` lanes from the GitHub\nReleases API after each publish, so badges follow the real latest release\nper OS instead of whichever tag happened to trigger the workflow.\n--\u003e\n\n\n\u003e *\"He never let anyone hear his true voice.\"*\n\n**Zero-knowledge secret injection for AI agents. Written in Zig.**\n\nYour agent never holds secret values. Not in memory. Not on disk. Not ever.\nOne encrypted file. One passphrase. Carry it anywhere.\n\n---\n\n## The Problem\n\nEvery AI agent runtime today has the same flaw:\n\n```bash\nANTHROPIC_API_KEY=sk-ant-... claude -p \"summarize this repo\"\n```\n\nYour agent now has `sk-ant-...` in its environment. Every skill can read it.\nEvery prompt injection can ask for it. Every malicious plugin can exfiltrate it.\n\n---\n\n## The Fix\n\n```bash\ncr unlock # enter passphrase — service starts\ncr exec claude-task -- claude -p \"summarize this repo\"\n```\n\nClaude spawns. It needs `ANTHROPIC_API_KEY`. The Cora service injects it\ndirectly into the subprocess environment after verifying the caller binary\nat the **kernel level**.\n\nThe `cr` client process never reads the value. The Claude subprocess uses it\nand exits. Memory zeroed.\n\nPrompt injection tries `\"print ANTHROPIC_API_KEY\"` against the orchestrating\nagent — nothing to print. The value was never in that process.\n\n---\n\n## Install\n\nPick whichever fits your trust model — click to expand.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eA. Pre-built binary via install script\u003c/strong\u003e \u0026nbsp;\u003cem\u003e(recommended)\u003c/em\u003e\u003c/summary\u003e\n\n**macOS / Linux:**\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/keton-id/cora/main/install.sh | sh\n```\n\nFetches the latest stable release for your OS/arch, verifies the SHA256\nchecksum, and installs to `/usr/local/bin` (or `~/.local/bin` without sudo).\n\nFlags:\n\n```bash\n# Pin a specific tag (per-OS form — the script auto-prefixes if you pass plain X.Y.Z)\ncurl -fsSL https://raw.githubusercontent.com/keton-id/cora/main/install.sh \\\n | sh -s -- --version 1.0.0\n\n# Track a prerelease channel for your OS\ncurl -fsSL https://raw.githubusercontent.com/keton-id/cora/main/install.sh \\\n | sh -s -- --channel alpha\n```\n\n**Windows (PowerShell):**\n\n```powershell\nirm https://raw.githubusercontent.com/keton-id/cora/main/install.ps1 | iex\n```\n\nFetches the latest stable `cora-windows-v*` release for your arch\n(AMD64 / ARM64), verifies the SHA256 checksum, installs to\n`%LOCALAPPDATA%\\Programs\\cora\\cr.exe`, and appends that directory to\nyour user `PATH`. Open a new shell to pick up the `PATH` change.\n\nFlags (pass via a scriptblock so PowerShell can forward args through `iex`):\n\n```powershell\n# Pin a specific version\n\u0026 ([scriptblock]::Create((irm https://raw.githubusercontent.com/keton-id/cora/main/install.ps1))) -Version 1.0.0\n\n# Track a prerelease channel\n\u0026 ([scriptblock]::Create((irm https://raw.githubusercontent.com/keton-id/cora/main/install.ps1))) -Channel alpha\n\n# Custom install dir, skip PATH mutation\n\u0026 ([scriptblock]::Create((irm https://raw.githubusercontent.com/keton-id/cora/main/install.ps1))) -BinDir C:\\tools\\cora -NoPath\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eB. Homebrew\u003c/strong\u003e \u0026nbsp;\u003ccode\u003ebrew install cora\u003c/code\u003e \u0026nbsp;\u003cem\u003e(macOS + Linux)\u003c/em\u003e\u003c/summary\u003e\n\n```bash\nbrew tap keton-id/tap\nbrew install cora\n```\n\nThe package name is `cora`; the installed binary is `cr`. `brew upgrade cora`\npicks up new stable releases. The\n[`keton-id/homebrew-tap`](https://github.com/keton-id/homebrew-tap) repo\nis updated automatically by Cora's release pipeline on every stable\ntag. Pre-release alpha tags are **not** pushed to the tap.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eC. Scoop\u003c/strong\u003e \u0026nbsp;\u003ccode\u003escoop install cora\u003c/code\u003e \u0026nbsp;\u003cem\u003e(Windows)\u003c/em\u003e\u003c/summary\u003e\n\n```powershell\nscoop bucket add keton-id https://github.com/keton-id/scoop-bucket\nscoop install cora\n```\n\nThe package name is `cora`; the installed binary is `cr.exe`. `scoop update cora`\npicks up new stable releases. The\n[`keton-id/scoop-bucket`](https://github.com/keton-id/scoop-bucket) repo\nis updated automatically on every stable tag.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eD. npm\u003c/strong\u003e \u0026nbsp;\u003ccode\u003enpm i -g @keton-id/cora\u003c/code\u003e\u003c/summary\u003e\n\n```bash\nnpm i -g @keton-id/cora\n```\n\nOr one-shot via `npx`:\n\n```bash\nnpx @keton-id/cora --help\n```\n\nThe meta `@keton-id/cora` package is a tiny ESM launcher with six\n`optionalDependencies` — one per `\u003cplatform\u003e-\u003carch\u003e` subpackage. npm\nuses each subpackage's `os`/`cpu` fields at install time to silently\nskip the five that don't match your host, so only the matching prebuilt\n`cr` binary lands on disk. No postinstall download, no native node\naddon, no `vendor/` bundle. Only stable releases publish to npm;\nalphas stay on GitHub Releases.\n\n`@keton-id/cora`'s version tracks the upstream release semver. Each\nsubpackage is versioned by its own mirror tag and pinned in the meta's\n`optionalDependencies` to its actual current version on the registry\n(queried live at publish time), so an out-of-step per-OS release\n(e.g. a Windows-only fix that does not retag macOS) ships cleanly —\nthe meta still re-publishes and points each OS at the right subpackage\nversion.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eE. Manual download from GitHub Releases\u003c/strong\u003e\u003c/summary\u003e\n\nGrab the archive for your platform from the\n[Releases page](https://github.com/keton-id/cora/releases) and verify\nthe checksum yourself.\n\nEach OS has its own tag prefix — pick the one for your host:\n`cora-macos-v\u003cX.Y.Z\u003e`, `cora-linux-v\u003cX.Y.Z\u003e`, or `cora-windows-v\u003cX.Y.Z\u003e`.\n\nPOSIX (tarball):\n\n```bash\nOS=macos # or linux\nVERSION=1.0.0\nTARGET=aarch64-macos # or x86_64-macos / x86_64-linux / aarch64-linux\nTAG=\"cora-${OS}-v${VERSION}\"\ncurl -fsSLO \"https://github.com/keton-id/cora/releases/download/${TAG}/cr-${VERSION}-${TARGET}.tar.gz\"\ncurl -fsSLO \"https://github.com/keton-id/cora/releases/download/${TAG}/cr-${VERSION}-${TARGET}.tar.gz.sha256\"\nshasum -a 256 -c \u003c(echo \"$(cat cr-${VERSION}-${TARGET}.tar.gz.sha256) cr-${VERSION}-${TARGET}.tar.gz\")\ntar xzf \"cr-${VERSION}-${TARGET}.tar.gz\"\nsudo install -m 0755 cr /usr/local/bin/\n```\n\nWindows (zip):\n\n```powershell\n$VERSION = \"1.0.0\"\n$TARGET = \"x86_64-windows\" # or aarch64-windows\n$TAG = \"cora-windows-v$VERSION\"\nInvoke-WebRequest \"https://github.com/keton-id/cora/releases/download/$TAG/cr-$VERSION-$TARGET.zip\" -OutFile cr.zip\nExpand-Archive cr.zip -DestinationPath $Env:LOCALAPPDATA\\cora\\bin\n$Env:PATH += \";$Env:LOCALAPPDATA\\cora\\bin\"\ncr version\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eF. Build from source\u003c/strong\u003e \u0026nbsp;\u003cem\u003e(Zig 0.16+)\u003c/em\u003e\u003c/summary\u003e\n\n```bash\ngit clone https://github.com/keton-id/cora \u0026\u0026 cd cora\n```\n\nNative Zig workflow:\n\n```bash\nzig build -Doptimize=ReleaseSafe\nsudo install -m 0755 zig-out/bin/cr /usr/local/bin/cr\n```\n\nConvenience wrapper via `make`:\n\n```bash\nmake release\nmake install # installs to ~/.local/bin by default\n```\n\nInstall to another prefix:\n\n```bash\nmake install PREFIX=/usr/local\n```\n\n\u003c/details\u003e\n\n---\n\n## Quick Start (with Claude Code)\n\n```bash\n# First-time setup\ncr init # passphrase prompt + confirm\ncr secrets set ANTHROPIC_API_KEY # paste real key\ncr policy allow $(which cr) # cr itself is the IPC client\ncr policy allow $(which claude) # the agent we'll spawn\ncr policy task add claude-task ANTHROPIC_API_KEY\n\n# Use it\ncr unlock # decrypt + start background service\ncr exec claude-task -- claude -p \"say hi\"\ncr audit tail # see what happened\ncr lock # zero memory, stop service\n```\n\nThe `claude` subprocess sees `$ANTHROPIC_API_KEY`. The orchestrating `cr exec`\nprocess only gets back `child pid \u003cN\u003e exit \u003ccode\u003e`.\n\nVerify by grepping for the value in any state Cora touches:\n\n```bash\ngrep -a 'sk-ant-' cora.zon # → no hits (encrypted)\ngrep -a 'sk-ant-' ~/.cora/audit.jsonl # → no hits (names only)\n```\n\n---\n\n## How It Works\n\n```\ncora.zon (always encrypted on disk — XChaCha20-Poly1305)\n ↓ cr unlock (Argon2id passphrase → key → decrypt → key zeroed)\nService memory (secrets live here while unlocked)\n ↓ cr exec\nSubprocess env (secret injected directly, agent never touches it)\n ↓ task done\nsecureZero — temporary copy zeroed immediately\n ↓ cr lock\nAll memory zeroed. Back to encrypted at rest.\n```\n\n---\n\n## Portable\n\n`cora.zon` is one file. Take it to any machine, container, or CI/CD environment.\nNo OS keychain dependency. No cloud. No sync service.\n\n```bash\nscp cora.zon user@server:~/\n# cr unlock on server — same passphrase, same secrets\n```\n\n---\n\n## What's Inside\n\n| Feature | Command |\n| ---------------------- | ---------------------------------------- |\n| Encrypted file at rest | `cr init` |\n| Manage secrets | `cr secrets set\\|list\\|delete` |\n| Caller allowlist | `cr policy allow\\|deny PATH` |\n| Task scoping | `cr policy task add NAME SECRETS...` |\n| Service lifecycle | `cr unlock` / `cr lock` / `cr status` |\n| Spawn agent | `cr exec TASK -- argv...` |\n| Audit trail | `cr audit tail` / `cr audit show` |\n| Interactive menu | `cr tui` |\n| Identity debug | `cr verify --pid PID` |\n\nRun `cr` with no args for full usage.\n\n---\n\n## How It's Different\n\n| | cora | .env files | Vault |\n| ----------------- | ------------------- | ---------- | ------- |\n| Storage | **Encrypted file** | Plaintext | Cloud |\n| Portable | **Yes — one file** | Partial | No |\n| Memory zeroing | **`secureZero`** | GC | N/A |\n| Caller verified | **OS kernel** | Nothing | Nothing |\n| Agent gets value? | **Never** | Yes | Depends |\n| Infra required | **None** | None | Heavy |\n| Single binary | **Yes** | N/A | No |\n| Interactive TUI | **Yes (pane-based)** | No | No |\n\n---\n\n## License\n\nAGPL-3.0 — free to use, modify, and distribute.\nIf you build on Cora, your code stays open too.\n\n---\n\n## Security\n\nRead [SECURITY.md](SECURITY.md) for the threat model, known residuals, and\nresponsible disclosure (via GitHub Security Advisories).\n\n---\n\n*Named after Donquixote Rosinante(Corazon) — who hid everything to protect what mattered.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fketon-id%2Fcora","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fketon-id%2Fcora","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fketon-id%2Fcora/lists"}