{"id":50443485,"url":"https://github.com/vineethkrishnan/vaultctl","last_synced_at":"2026-06-04T05:01:25.960Z","repository":{"id":358423307,"uuid":"1203878072","full_name":"vineethkrishnan/vaultctl","owner":"vineethkrishnan","description":"Zero-knowledge password vault. Self-hosted, end-to-end encrypted, open source.","archived":false,"fork":false,"pushed_at":"2026-05-25T07:56:18.000Z","size":1602,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-25T08:28:41.923Z","etag":null,"topics":["docker","e2e-encryption","golang","open-source","password-manager","password-vault","security","self-hosted","vault","zero-knowledge"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vineethkrishnan.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"docs/security/verifying-releases.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-07T13:22:58.000Z","updated_at":"2026-05-25T07:56:13.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/vineethkrishnan/vaultctl","commit_stats":null,"previous_names":["vineethkrishnan/vaultctl"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/vineethkrishnan/vaultctl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vineethkrishnan%2Fvaultctl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vineethkrishnan%2Fvaultctl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vineethkrishnan%2Fvaultctl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vineethkrishnan%2Fvaultctl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vineethkrishnan","download_url":"https://codeload.github.com/vineethkrishnan/vaultctl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vineethkrishnan%2Fvaultctl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33746513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","e2e-encryption","golang","open-source","password-manager","password-vault","security","self-hosted","vault","zero-knowledge"],"created_at":"2026-05-31T20:00:37.036Z","updated_at":"2026-05-31T20:00:45.520Z","avatar_url":"https://github.com/vineethkrishnan.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vaultctl\n\nSelf-hosted, zero-knowledge password vault. Single Go binary serves the API and the embedded React SPA. Browser extension and CLI talk to the same server. AGPL-3.0.\n\n- **Zero-knowledge by construction.** Argon2id key derivation and AES-256-GCM happen in the browser worker, the extension, or the CLI. The server has no code path to decrypt.\n- **One binary, one image.** The web bundle is embedded into the Go binary. Final container image is ~45MB on `gcr.io/distroless/static-debian12:nonroot`.\n- **Multi-user from day 1.** Organizations, invites, role-based vault sharing, RSA-OAEP wrap with Ed25519 signature pinning, member-removal triggers a vault rekey.\n- **Supply-chain hardened.** goreleaser builds for linux/darwin/windows × amd64/arm64; cosign keyless signing on every artifact; CycloneDX SBOM per archive; SLSA-L3 provenance attestation on public releases.\n\nDocs: [vaultctl.vinelabs.de](https://vaultctl.vinelabs.de)\n\n## Quick start (self-host)\n\n```bash\ngit clone https://github.com/vineethkrishnan/vaultctl.git\ncd vaultctl\ncp .env.example .env\n# fill in every secret — server fail-closes if any prod secret is empty.\n# generate values with: openssl rand -base64 32   (or 64 for JWT secrets)\n\ndocker compose up -d                              # starts caddy + vaultctl + postgres\ndocker compose exec vaultctl vaultctl migrate up  # apply embedded migrations\n```\n\nOpen `https://${VAULTCTL_BASE_URL}` and register the first user. Without a TLS-terminating proxy, use `docker-compose.simple.yml` and front it with your own reverse proxy on `127.0.0.1:8080`.\n\nStep-by-step screenshots of the registration -\u003e recovery-kit -\u003e first-item flow: [`docs/setup/walkthrough.md`](docs/setup/walkthrough.md).\n\nThe bundled compose sets `VAULTCTL_DB_SSL_INSECURE_OK=true` because Postgres lives on a private bridge network. For any deploy where the DB is reachable across hosts, leave this unset and configure `VAULTCTL_DB_SSL_MODE=verify-full`.\n\n## CLI\n\n```bash\ngo install github.com/vineethkrishnan/vaultctl/cmd/server@latest\n# or grab a signed binary from the latest release\n\nexport VAULTCTL_API_URL=https://vault.example.com\nvaultctl login\nvaultctl ls\nvaultctl get GitHub\nvaultctl add login --name Reddit\nvaultctl backup --output /var/backups/vaultctl\n```\n\nThe same binary runs the server (`vaultctl server`), applies migrations (`vaultctl migrate up|down`), and runs the client commands. `--json` is honored on every read command.\n\n## Browser extension (MV3)\n\n```bash\ncd extension\nnpm ci\nnpm run build           # outputs .output/chrome-mv3\n```\n\nLoad `extension/.output/chrome-mv3` via `chrome://extensions` -\u003e Developer mode -\u003e Load unpacked. Firefox: `about:debugging`.\n\n## Development\n\nToolchain: Go 1.22+, Node 22+, Docker (with `docker compose`), and GNU `make`. The `make` targets below are thin wrappers around `go build` / `npm` / `golangci-lint` / `gosec` / `govulncheck` — install any tool the target needs that you don't already have.\n\n```bash\nmake web-build          # build the SPA (embedded into the Go binary)\nmake build              # build the vaultctl binary\nmake run                # run the server locally on :8080\nmake test               # go test ./... -race -count=1 -coverprofile=coverage.out\nmake lint               # golangci-lint run ./...\nmake sec                # gosec + govulncheck\n```\n\nWeb dev server (proxies `/api` to `http://localhost:8080`):\n\n```bash\ncd web\nnpm ci\nnpm run dev             # http://localhost:5173\nnpm run typecheck       # tsc --noEmit\nnpm run test            # vitest\nnpm run test:e2e        # playwright (35 e2e tests)\n```\n\n## Verifying releases\n\nvaultctl publishes four layers of supply-chain evidence. For credential-vault use you should verify at least the layer matching how you install. Step-by-step verification commands: [`docs/security/verifying-releases.md`](docs/security/verifying-releases.md).\n\n| Layer | What it proves |\n| --- | --- |\n| `cosign verify-blob` against `checksums.txt` | the binary tarball matches what the release workflow built |\n| `cosign verify` against the container manifest | the image digest you pulled was produced by the release workflow |\n| SLSA build provenance attestation | a named GitHub workflow at a specific tag produced the artifact |\n| CycloneDX SBOM (`*.sbom.cdx.json`) | complete dependency inventory for review and vuln scanning |\n\n## Project layout\n\n```\ncmd/server/                   # binary entry: server, migrate, backup, admin, client cmds\ninternal/domain/              # core types and invariants — no I/O\ninternal/application/         # use cases composed from ports\ninternal/infrastructure/      # postgres, JWT, crypto adapters\ninternal/presenters/api/      # chi router, handlers, middleware\ninternal/presenters/cli/      # cobra command tree\nmigrations/                   # *.sql, embedded into the binary\nweb/                          # React + Vite SPA, embedded into the binary\nextension/                    # WXT + MV3 browser extension\ndeploy/caddy/                 # Caddyfile for the bundled stack\ndocs/security/                # release verification guide\ndocs-site/                    # public docs site (deployed to Cloudflare Pages)\n```\n\n## License\n\nAGPL-3.0. See [`LICENSE`](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvineethkrishnan%2Fvaultctl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvineethkrishnan%2Fvaultctl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvineethkrishnan%2Fvaultctl/lists"}