{"id":47604224,"url":"https://github.com/niradler/autho","last_synced_at":"2026-04-01T19:01:51.212Z","repository":{"id":345632644,"uuid":"780637899","full_name":"niradler/autho","owner":"niradler","description":"Secret Manager","archived":false,"fork":false,"pushed_at":"2026-03-27T23:04:31.000Z","size":52966,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-03-28T03:47:41.623Z","etag":null,"topics":["autho","authy","otp","password"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/niradler.png","metadata":{"files":{"readme":"Readme.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2024-04-01T22:03:52.000Z","updated_at":"2026-03-27T23:04:09.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/niradler/autho","commit_stats":null,"previous_names":["niradler/autho"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/niradler/autho","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niradler%2Fautho","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niradler%2Fautho/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niradler%2Fautho/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niradler%2Fautho/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/niradler","download_url":"https://codeload.github.com/niradler/autho/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/niradler%2Fautho/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291007,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autho","authy","otp","password"],"created_at":"2026-04-01T19:01:14.902Z","updated_at":"2026-04-01T19:01:51.204Z","avatar_url":"https://github.com/niradler.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Autho\n\nAutho is a local-first secret manager for humans and coding agents, rebuilt on Bun.\n\n## Install\n\n```bash\nbun install -g autho\n```\n\n## What Ships In This Release\n\n- Password, note, and OTP secrets (configurable algorithm and digits)\n- Interactive prompt workflow via `autho` with no arguments\n- Secret CRUD from the Bun CLI\n- OTP code generation (RFC 6238 TOTP)\n- File encryption and decryption (with `--force` overwrite guard)\n- Folder encryption and decryption (with path traversal protection)\n- Legacy JSON import\n- Project secret mappings\n- `env render`, `env sync`, and `exec`\n- Short-lived secret leases with audit and revoke\n- Local daemon unlock flow for repeated agent tasks\n- Local-only Bun web UI for unlock and secret browsing\n- Native OS secret store integration (macOS Keychain, Linux Secret Service, Windows Credential Manager)\n\n## Security Model\n\n- Master password derives a key-encryption key via **scrypt** (N=2^17, r=8, p=1, OWASP minimum)\n- Each vault gets a random 256-bit root key\n- Secret payloads and file artifacts use **AES-256-GCM** envelope encryption with per-secret DEKs\n- Daemon bearer token comparison uses **timing-safe equality**\n- Web session cookies set **HttpOnly**, **SameSite=Strict**, and **Secure** flags\n- File and folder decrypt operations include **overwrite guards** (require `--force`)\n- Folder decryption validates paths against **directory traversal**\n- SQLite vault files are hardened to `0600` permissions\n- Local daemon auth tokens use OS secret storage when available (falls back to file)\n- Master password can be saved to OS secret store via setup wizard (`autho init`) — no repeated prompts\n- PIN is a local machine gate stored in the OS keychain — it does not travel with the vault file and provides no cryptographic protection of vault data\n- Audit events record access patterns without storing secret values\n- Runtime state defaults to `~/.autho` and can be isolated with `AUTHO_HOME`\n\nCurrent at-rest boundary for this release:\n\n- Secret payloads, wrapped keys, and encrypted artifacts are encrypted at rest\n- SQLite metadata such as names, types, timestamps, leases, and audit rows is not fully encrypted at rest\n- If the OS secret store is unavailable, the daemon token falls back to the local state file\n- Set `AUTHO_DISABLE_OS_SECRETS=1` to opt out of all OS secret store usage\n\n## Requirements\n\n- Bun `1.3.10` or newer\n- Windows, macOS, or Linux\n\n## Quick Start\n\n```bash\nbun install\nbun run hooks:install\nbun run autho -- init --password \"correct horse battery staple\"\n```\n\nThe setup wizard will guide you through optional security features — save your master password to the OS keychain, set a local PIN, or enable TOTP. After saving to the keychain, all commands unlock silently without prompting.\n\nTo opt out of OS secret store usage: `AUTHO_DISABLE_OS_SECRETS=1`\n\nBy default, Autho stores runtime state in `~/.autho`. For tests, CI, or isolated environments you can override that with `AUTHO_HOME`.\n\nRun the interactive prompt:\n\n```bash\nbun run autho\n```\n\nAdd and read a secret:\n\n```bash\nbun run autho -- secrets add --password \"correct horse battery staple\" --name github --type password --value ghp_example --username octocat --url https://github.com\nbun run autho -- secrets get --password \"correct horse battery staple\" --ref github --json\n```\n\nGenerate an OTP code:\n\n```bash\nbun run autho -- otp code --password \"correct horse battery staple\" --ref my-otp --json\n```\n\nEncrypt and decrypt a file:\n\n```bash\nbun run autho -- file encrypt --password \"correct horse battery staple\" --input ./secret.txt\nbun run autho -- file decrypt --password \"correct horse battery staple\" --input ./secret.txt.autho\n```\n\nCreate a project mapping and render env vars:\n\n```bash\nbun run autho -- project init --map OPENAI_API_KEY=openai --map GITHUB_TOKEN=github --force\nbun run autho -- env render --password \"correct horse battery staple\" --project-file ./.autho/project.json --json\n```\n\nRun a command with injected env vars:\n\n```bash\nbun run autho -- exec --password \"correct horse battery staple\" --project-file ./.autho/project.json -- bun -e \"console.log(process.env.GITHUB_TOKEN)\"\n```\n\nStart the daemon:\n\n```bash\nbun run daemon\n```\n\nStart the local web UI:\n\n```bash\nbun run web\n```\n\n## Build And Release\n\nBuild Bun bundles:\n\n```bash\nbun run build\n```\n\nBuild standalone compiled binaries:\n\n```bash\nbun run build:compile\n```\n\nRun the full quality gate:\n\n```bash\nbun run check\n```\n\n### npm Publish\n\nThe CLI is published as `autho` on npm. To publish a new version:\n\n```bash\nbun run build:cli\ncd apps/cli \u0026\u0026 npm publish\n```\n\nThe package includes only `dist/autho.js` and `README.md` (~15 KB tarball).\n\n## Upgrading\n\nIf you already have a vault from a previous version, just update and run any command:\n\n```bash\nbun install -g autho@latest\nautho secrets list --password \"...\"\n```\n\nThe setup wizard will offer to save your master password to the OS keychain. After that, all commands unlock silently.\n\nSee [MIGRATION.md](./MIGRATION.md) for full details and legacy import instructions.\n\n## Testing\n\nThe Bun end-to-end suite covers the main user flows from real process boundaries:\n\n- vault init and status\n- prompt mode create and list\n- secret CRUD\n- OTP generation\n- project mapping, env render or sync, and exec\n- lease create and revoke\n- audit inspection\n- legacy JSON import\n- file and folder crypto\n- daemon-backed unlock and exec\n- local web unlock and secret APIs\n\nRun it with:\n\n```bash\nbun test\n```\n\n## Repo Layout\n\n- `apps/cli`: Bun CLI\n- `apps/daemon`: local daemon\n- `apps/web`: local Bun web UI\n- `packages/core`: domain and vault logic\n- `packages/crypto`: KDF and encryption helpers\n- `packages/storage`: SQLite access and migrations\n- `tests/e2e`: process-level user-flow tests\n\n## Agent Usage\n\nAutho is designed for coding agents that need secrets at runtime:\n\n```bash\n# After saving to OS keychain via `autho init` — no env var needed\nautho lease create --secret github --secret openai --ttl 300 --json\nautho exec --lease \u003cid\u003e --map GITHUB_TOKEN=github --map OPENAI_KEY=openai -- node build.js\nautho lease revoke --lease \u003cid\u003e\n```\n\nIf the OS secret store is unavailable (headless CI, Docker), fall back to the env var:\n\n```bash\nexport AUTHO_MASTER_PASSWORD=\"...\"\n```\n\nStore arbitrary named secrets in the OS secret store directly:\n\n```bash\nautho os-secrets set --name my-token --value ghp_xxx\nautho os-secrets get --name my-token\nautho os-secrets delete --name my-token\n```\n\n## Current Scope\n\nThis release is intended to be stable for local-first Bun usage and parity with the legacy vault workflows. Planned future work includes proxy mode, richer agent policy management, and a fuller dashboard.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fniradler%2Fautho","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fniradler%2Fautho","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fniradler%2Fautho/lists"}