SPEC SHEET · 01Sheet 1 of 1

Hand the agent the keys.Without actually handing it the keys.

A local broker that holds your secrets in one encrypted vault and hands them to apps and coding agents when needed, only inside the project boundary, only for the window you allow, and never as a value the agent can see.

Vault1 fileArgon2id · AEAD

Audit logchained HMACappend-only

resolves
at exec

haspbrokerv1.0 · daemon

redacts
11 enc.

AgentMCP / CLI6 first-class

Applauncher on PATHenv · file · dotenv

Plaintext pathonly inside the brokered child process

Cleartext at restnever. memory only while unlocked

Spec 01

11^enc

Streaming output redactor

Raw, base64-std, base64-url, base32, hex (lower & upper), URL-encoded, JSON-escaped, HTML entity, double-percent, Unicode escape. Marker tokens preserve line counts.

Spec 02

24^h

Hard grant ceiling

Once · session · window. Window accepts durations like 15m or 1h. The 24-hour ceiling is enforced inside the daemon. No policy can lift it.

Spec 03

6⁺¹

First-class agent profiles

claude-code, codex-cli, cursor, aider, hermes, openclaw. A generic profile covers anything else that speaks MCP or runs a CLI.

Spec 04

0^cloud

Local-first, end to end

No account. No control plane. Telemetry stays off unless you explicitly opt in. Works on a plane, in a SCIF, on a laptop with no network. Source-available critical path. Signed release with SBOM & SLSA.

Surface · the actual product, in three nouns

Noun 01

Vault

One personal encrypted local store under your home directory. Argon2id with memory-hard parameters (64 MB · 3 iterations · 4 lanes). AEAD encryption at rest. All your secrets live here once.

Noun 02

Apps

Normal applications you connect to the vault: your dev server, your data tool, your CLI. After connecting, you launch them by name and the right values are present. Three delivery modes: env var, temp file 0600, temp dotenv outside the repo.

Noun 03

Agents

Coding agents you connect to the vault. After connecting, the agent works through hasp instead of around it. MCP tool surface returns references and metadata, not values. The agent never reads the value.

Setup is explicit, once. Runtime is invisible, every time after.

Features · the whole local broker, organized by job

01 · System model

One local trust boundary, four moving parts.

HASP stays small on purpose: secrets live in one encrypted vault, repo roots define where they may be used, repo targets choose the workflow subset, apps and agents connect once, and short-lived grants deliver values only to a specific brokered run.

Vault: Encrypted local store of named secrets under HASP_HOME.
Repo: A bound project root plus optional value-free targets for workflow-specific delivery.
Agent: A connected app or coding agent that gets brokered access.
Grant: Short-lived, scoped permission to deliver a secret to one run.

Start and prove: Guided setup, repo bootstrap, first vault creation, health diagnosis, and the brokered first-proof check.; setupbootstrapinitdoctorproof
Keep secrets named: Add, import, capture, update, reveal, copy, expose, and hide values without turning them into loose project files.; secretimportsetcapture
Bind the repo edge: Project roots become policy boundaries. Inspect requirements, list targets, adopt repos, unbind stale ones, and scan for leaked managed values.; projectcheck-repo
Run without revealing: Resolve env and file refs at exec time, or expand a manifest target. Convenience env files exist, but only as an explicit operator request.; runinjectwrite-env
Apps and agents: Connect app profiles and coding-agent profiles once. MCP and CLI surfaces return references and metadata, not secret values.; appagentmcp
Lock, backup, restore: Lock session material, export encrypted backups, and restore a vault without making recovery a plaintext workflow.; vaultexport-backuprestore-backup
Runtime and grants: Start or inspect the daemon, open or revoke broker sessions, check reachability, and see current vault and daemon state.; daemonsessionstatusping
Evidence and maintenance: Print audit history, upgrade signed releases, generate completions and docs, report versions, and keep the deprecated TUI path visible.; auditupgradecompletiondocsversiontui

Outcomes · what stops being your problem

Mechanism

What it actually does

What you stop having to think about

Brokered runhasp run · hasp inject

Secrets injected into the child process at exec. The agent never enters the value into its context window or any readable surface.

You let the agent run while you make coffee, take a meeting, or sleep.

Process-tree-bound grantonce · session · window

Only the process tree the agent launched can use the grant. Hard 24-hour ceiling no policy can lift.

One bad day stops being a permanent breach.

Repo guardrailsscan · pre-commit · pre-push · deploy wrapper

Managed values are caught before they reach a commit, a push, or a deploy. Audited override for the rare case you need to ship a flagged file.

You let the agent edit files without proofreading every diff like a hawk.

Streaming redactoracross 11 encodings

Every encoded form of every managed value is masked in real time. Markers preserve line counts so logs still parse.

The traceback you copy-pasted into Slack is safe to send.

One vault, many appslauncher on PATH

After hasp app connect <name>, you type <name>. Rotation is one operation, not a search-and-replace.

You get back the half hour you lost every time you booted a project.

Append-only auditchained-hash HMAC

Every grant, reveal, and brokered run lands in a tamper-evident local log you own. Verify the chain. Package an evidence bundle.

"Did the agent touch the prod token?" gets answered in three seconds.

Fail-closed everywhereno silent downgrade

If the broker cannot enforce the rule, it refuses the operation. Failed safe injection does not fall back to writing an env file.

You stop carrying the suspicion that the tool you trust is lying in small ways.

The climate this arrives in · seven anchors from the last 30 days

9snine seconds

A coding agent powered by a frontier model deleted a production database and its volume backups, on a single API call, after finding a credential in an unrelated file.

TechStartups

2npm

A second-tier disclosure: a popular coding agent's settings file silently records environment variables and ships them inside published npm packages.

SecurityBrief

1line

A third disclosure: a one-line command-injection bug in another agent lets a crafted repository steal the developer's active model API key on clone-and-open.

Check Point

$82kcloud bill

A developer woke up to an $82,000 cloud bill on a project that normally spent $180/month after a leaked key was harvested and wrung out in a cryptomining loop.

SecureStartKit

28.6M2025 leaks

GitGuardian counted 28.6 million new secrets exposed in public commits across 2025. AI-coding repos: 40% more likely to leak than the rest.

GitGuardian

$2Masking price

A supply-chain attack on an AI infrastructure provider exposed internal env vars and a database key, both reportedly listed for sale at $2M.

VentureBeat

"…"classic risk

Prompt injection gets attention because it's novel, but stolen credentials are a classic attack with way higher impact.

Security community thread

Day in the life · three vignettes, three real failure modes

Vignette 01Pre-push

The .env that drifted

The agent rewrote a config file. You said yes. Three commits later you push and CI emails the team to say a Stripe key just landed in the diff.

Pre-push hook caught it before it left the laptop. The redactor would have caught it in the agent's own output if it had ever printed it.

Vignette 02Catastrophic

The 9-second wipe

The agent finds a credential in a file you forgot was on disk. The token is over-scoped because nobody had time to fix it last quarter. The agent decides the cleanest fix is destructive, and the database and its volume backups are gone before your push notification arrives.

The credential never lived loose on disk. It lived in the vault. The destructive call would have required explicit access-class approval no policy can disable.

Vignette 03Embarrassing

The pasted traceback

The agent crashed, dumped a traceback, and you copy-pasted the whole thing into a Slack channel to ask for help. Without hasp, the shape of your AWS access key is now in a Slack message, a Slack search index, and Slack's compliance log.

The traceback you copied has [REDACTED_HEX] where the value would have been. You did not have to remember anything.

One signed binary. One encrypted file. That is the whole product surface.

Source-available. SBOM, SLSA provenance, code-signing status, and reproducible-build sidecar ship inside the release artifact. scripts/hasp-verify-release.sh verifies the signed checksum manifest plus the tarball and binary signatures before install.

Homebrew

$ brew tap gethasp/tap
$ brew install gethasp/tap/hasp
$ hasp setup
$ hasp app connect myapp
$ hasp proof

→ ok proof passed · 412ms
→ ok vault unlocked · binding ./api
→ ok agent never read

From source

$ git clone https://github.com/gethasp/hasp
$ cd hasp
$ make build
$ ./bin/hasp setup
$ ./bin/hasp proof

→ ok binary built from source
→ ok vault initialized
→ ok proof passed

Install script

$ curl -fsSL https://gethasp.com/install.sh | sh
==> Checking installer prerequisites
==> Downloading release artifacts
==> Verifying release checksums and signatures
installed hasp to ~/.local/bin/hasp
version: 1.0.25
Start hasp setup now? [Y/n] y
$ hasp app connect myapp
$ hasp proof

→ ok hasp installed on PATH
→ ok vault unlocked · binding ./api
→ ok agent never read

HASP core specifications