{"id":50741621,"url":"https://github.com/moinsen-dev/secretariat","last_synced_at":"2026-06-10T17:30:56.670Z","repository":{"id":363655071,"uuid":"1119400278","full_name":"moinsen-dev/secretariat","owner":"moinsen-dev","description":" Secretariat is a local-first secrets manager that eliminates `.env` files entirely. One encrypted vault on your machine. All your API keys in one place. Every project just works.","archived":false,"fork":false,"pushed_at":"2026-06-09T20:20:13.000Z","size":951,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-09T21:14:14.068Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dart","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moinsen-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-19T08:03:32.000Z","updated_at":"2026-06-09T20:20:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/moinsen-dev/secretariat","commit_stats":null,"previous_names":["moinsen-dev/secretariat"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/moinsen-dev/secretariat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moinsen-dev%2Fsecretariat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moinsen-dev%2Fsecretariat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moinsen-dev%2Fsecretariat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moinsen-dev%2Fsecretariat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moinsen-dev","download_url":"https://codeload.github.com/moinsen-dev/secretariat/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moinsen-dev%2Fsecretariat/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34163253,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-10T17:30:56.596Z","updated_at":"2026-06-10T17:30:56.656Z","avatar_url":"https://github.com/moinsen-dev.png","language":"Dart","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://secretariat.moinsen.dev/og-image.png\"\u003e\n  \u003cimg src=\"https://secretariat.moinsen.dev/og-image.png\" alt=\"Secretariat — Der Secret-Vault für Mensch \u0026 KI\" width=\"800\"\u003e\n\u003c/picture\u003e\n\n# Secretariat — Der Secret-Vault für Mensch \u0026 KI\n\n\u003e **Ein Vault. Mensch und KI. Nie wieder Secrets im Chat.**\n\n[![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-blue)](LICENSE)\n[![macOS](https://img.shields.io/badge/platform-macOS-black?logo=apple)](https://secretariat.moinsen.dev)\n[![Rust](https://img.shields.io/badge/built%20with-Rust-orange?logo=rust)](https://www.rust-lang.org/)\n[![Homebrew](https://img.shields.io/badge/brew-tap-green?logo=homebrew)](https://github.com/moinsen-dev/homebrew-tap)\n\n---\n\n## Wieso Secretariat?\n\n```bash\n# Vorher: Wo war der API-Key noch?\ngrep -r \"sk-\" ~/Documents/\ncat ~/Projects/*/.env 2\u003e/dev/null\n# Oder schlimmer: Du gibst den Key deinem KI-Assistenten im Chat\n# → Er taucht in der Prompt-History, in Exports, in Logs auf\n\n# Nachher: Ein Befehl für Mensch \u0026 KI\nsec get /openai/api-key\n```\n\n**Secretariat ist der erste Secret-Manager, der für die Zusammenarbeit von Menschen und KI-Agenten gebaut ist.** Ein gemeinsamer, lokaler Vault. API-Keys, Tokens, Zertifikate — einmal gespeichert, für beide abrufbar. **Das Secret erscheint nie im Chat, nie in Dateien, nie in Prompt-Exports.**\n\n---\n\n## Quick Start\n\n```bash\n# Install (macOS)\nbrew install moinsen-dev/tap/secretariat\n\n# Oder aus Source bauen\ncargo build --release\n\n# Vault initialisieren (headless-fähig)\nsec init --password \"dein-passwort\"\n\n# Daemon starten (automatisch via LaunchAgent)\nbrew services start secretariat\n\n# Erstes Secret speichern\nsec set /github/token ghp_xxxxx\n\n# Abrufen — für Mensch \u0026 KI\nsec get /github/token\n\n# Alle Secrets listen\nsec list\n\n# Aus .env importieren\nsec import ~/project/.env\n```\n\n### Non-Interactive / Headless\n\n```bash\n# Initialisierung ohne Terminal\nSECRETARIAT_INIT_PASSWORD=\"pass\" sec init\n\n# Unlock ohne Touch-ID\nsec unlock --password-value \"pass\"\n# oder via Env-Var:\nSECRETARIAT_INIT_PASSWORD=\"pass\" sec unlock\n```\n\n---\n\n## Für KI-Agenten\n\nDein KI-Assistent (Claude, Codex, Hermes, o.ä.) kann Secrets direkt aus dem Vault laden:\n\n```bash\n# Der Agent ruft im Terminal auf:\nsec get /deepseek/api-key\n# → Output: Nur der Key in stdout. Nie im Chat. Nie in Dateien.\n```\n\nDamit:\n- **Kein Secret** landet im Prompt-Kontext oder in Chat-Logs\n- **Rotation** = ein `sec set` — der Agent holt beim nächsten Mal den neuen Key\n- **Ein Vault** für dich und all deine Agenten\n\n---\n\n## Features\n\n### 🛡️ Verschlüsselter Vault\nAES-256-GCM, SQLCipher-Backend, Argon2id Key-Derivation. Master-Key per Passwort geschützt.\n\n### ⚡ CLI + Daemon\n`sec set`, `sec get`, `sec list`, `sec import`. Daemon (`secd`) läuft im Hintergrund, LaunchAgent Auto-Start.\n\n### 🧑‍🤝‍🧑 Mensch + KI\nEin Vault für dich und deine Agenten. Das Secret erscheint nur im stdout des Terminal-Tools — nie im Chat oder in Dateien.\n\n### 🔗 Multi-Device\nUnix Socket (lokal) + TCP (Netzwerk). Auth-Token-geschützt. Zugriff vom Mac, Server, oder jedem Device im Netzwerk.\n\n### 🐍 Python SDK\n```python\nfrom secretariat import Vault\n\nvault = Vault()\ndb_password = vault.get(\"/postgres/password\")\n```\n\n### 🦀 Rust Core\nDaemon (`secd`) + CLI (`sec`) in einem Build. Schnell, speichersicher, kein GC.\n\n### 🤖 Headless-fähig\nFunktioniert auf headless Mac Minis und Servern. `--password`-Flag und `SECRETARIAT_INIT_PASSWORD`-Env-Var für Non-Interactive-Betrieb. Keychain-Timeout (3s) verhindert Hänger ohne GUI.\n\n---\n\n## Architektur\n\n```\n┌────────────────────────────────────────────────┐\n│  CLI (sec)        │  SDKs (Python, Dart,        │\n│                   │  Rust, Node.js)             │\n├────────────────────────────────────────────────┤\n│            Unix Socket / TCP (Port 7357)        │\n├────────────────────────────────────────────────┤\n│  Daemon (secd)    │  Auth-Token Auth            │\n├────────────────────────────────────────────────┤\n│  SQLCipher Vault  │  AES-256-GCM               │\n├────────────────────────────────────────────────┤\n│  macOS Keychain   │  File System                │\n└────────────────────────────────────────────────┘\n```\n\n### Komponenten\n\n| Component | Language | Location |\n|-----------|----------|----------|\n| Daemon (`secd`) | Rust | `daemon/` |\n| CLI (`sec`) | Rust | `cli/` |\n| macOS Menu Bar App | SwiftUI | `app/` |\n| Python SDK | Python | `sdk-python/` |\n| Rust SDK | Rust | `sdk-rust/` |\n| Dart SDK | Dart | `sdk-dart/` |\n| Node.js SDK | TypeScript | `sdk-node/` |\n| Website | HTML/CSS | `website/` |\n\n---\n\n## Development\n\n```bash\n# Clone\ngit clone https://github.com/moinsen-dev/secretariat.git\ncd secretariat\n\n# Build\ncargo build --release\n\n# Run daemon (foreground)\n./target/release/secd\n\n# Run CLI\n./target/release/sec status\n```\n\n### Prerequisites\n- Rust toolchain (1.75+)\n- macOS (für Keychain-Integration)\n- Optional: Flutter/Python/Node für SDK-Entwicklung\n\n---\n\n## License\n\n**BSL 1.1** (Business Source License) — [view full terms](LICENSE)\n\n- ✅ Code is **publicly visible** — auditable, verifiable\n- ✅ **Self-host for free** — unlimited users, unlimited secrets\n- ✅ **Modify and redistribute** — fork, patch, improve\n- ❌ **Don't resell as a competing cloud service**\n- 🔄 **Becomes Apache 2.0 on 2029-01-01**\n\n---\n\n## Community\n\n- **Website:** [secretariat.moinsen.dev](https://secretariat.moinsen.dev)\n- **GitHub Issues:** Bug reports, feature requests\n- **Email:** [uli@moinsen.dev](mailto:uli@moinsen.dev)\n\nBuilt with ❤️ by [Moinsen Development Hamburg](https://moinsen.dev)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoinsen-dev%2Fsecretariat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoinsen-dev%2Fsecretariat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoinsen-dev%2Fsecretariat/lists"}