COMPARE · 2026-06-11Evidence-backed

Market comparison for agent-secret infrastructure. Trust boundaries, strengths, and gaps.

Tier 01 · executive read

System	Where it is genuinely strong	Where it is weak
HASP Source-available with FCL-1.0-ALv2	Keeps local project secrets in an encrypted vault and releases them through scoped broker runs. Treats the repo as part of the risk: bindings, leak checks, redaction, and audited grants live in the same flow. Fails closed by default. Backup passphrases scrub on lock, MCP regressions block releases, and managed values stay out of agent output.	No hosted team dashboard or central identity layer in V1. No HTTP/WebSocket gateway, provider catalog, or AI spend controls yet. No declarative policy engine for distributing approvals across many users or services.
Kontext CLI MIT	Smoother first-run onboarding for centrally managed teams Stronger hosted identity and org attribution story	Claude stays the first-class agent. The deterministic policy engine now runs on-host, but identity and dashboards still live in the backend Resolved secrets enter the agent process environment, and repo leak blocking is not the main product
OneCLI Apache-2.0	Faster self-serve onboarding with a full dashboard and bundled local stack WebSocket proxy support and a generic body transform pattern extend coverage to streaming agent-tool flows	The model centers on HTTP and WebSocket gateway traffic, so local command and file-secret workflows stay outside the happy path It needs a web/database control plane. That is useful for teams, heavier for a solo local repo
fnox MIT	A github-oauth device-flow lease backend mints short-lived user-attributed tokens with no app private key, on top of an already broad provider catalog The `fnox-core` crate split makes fnox usable as a library for other tools without dragging the CLI/TUI/MCP surface	The default developer path materializes secrets into env vars or shell state, even after POSIX-safe shell hardening The MCP surface can return raw secret values, and the repo scanner is still a placeholder
Infisical Agent Vault MIT Expat for non-ee code; enterprise features reserved for ee/ Infisical license	MITM-only ingress with WebSocket transparency tightens the network coverage story The `run` agent mode gives Agent Vault a real path for unattended and containerized deploys	v0.15 flipped the default to passthrough for unmatched hosts. Adoption is smoother, fail-closed posture is weaker It is strongest for HTTP/WebSocket. Repo leak prevention and non-HTTP command/file delivery are weaker
Tailscale Aperture Proprietary managed service	Much stronger hosted identity, attribution, and centralized AI usage reporting Full request/response capture, tool-use logging, and SIEM/S3 export	It is a managed beta tied to Tailscale identity and network assumptions It does not give you a local vault, offline workflow, or repo leak guardrails
Agent Cookie MIT	Much stronger browser and CLI session continuity for a second Mac or headless agent machine MIT license and public Go implementation	It makes existing sessions available on an agent Mac, so compatibility can mean cookies, sidecars, env files, or adapter blobs It does not give you a local vault, repo leak guardrails, or explicit per-use grants
Docker Secrets Engine Apache-2.0	Cleaner value-free pointer UX through `se://` references in Docker, Compose, and env-wrapper workflows Broader provider and plugin architecture with public Go SDKs	The resolver path returns plaintext bytes to clients, and `docker pass run` materializes values into child-process env `se://` references improve Docker and Compose config hygiene, but they are not per-use grants or repo leak guardrails

System

Where it is genuinely strong

Where it is weak

HASP Source-available with FCL-1.0-ALv2

Keeps local project secrets in an encrypted vault and releases them through scoped broker runs.

Treats the repo as part of the risk: bindings, leak checks, redaction, and audited grants live in the same flow.

Fails closed by default. Backup passphrases scrub on lock, MCP regressions block releases, and managed values stay out of agent output.

No hosted team dashboard or central identity layer in V1.

No HTTP/WebSocket gateway, provider catalog, or AI spend controls yet.

No declarative policy engine for distributing approvals across many users or services.

Kontext CLI MIT

Smoother first-run onboarding for centrally managed teams

Stronger hosted identity and org attribution story

Claude stays the first-class agent. The deterministic policy engine now runs on-host, but identity and dashboards still live in the backend

Resolved secrets enter the agent process environment, and repo leak blocking is not the main product

OneCLI Apache-2.0

Faster self-serve onboarding with a full dashboard and bundled local stack

WebSocket proxy support and a generic body transform pattern extend coverage to streaming agent-tool flows

The model centers on HTTP and WebSocket gateway traffic, so local command and file-secret workflows stay outside the happy path

It needs a web/database control plane. That is useful for teams, heavier for a solo local repo

fnox MIT

A github-oauth device-flow lease backend mints short-lived user-attributed tokens with no app private key, on top of an already broad provider catalog

The `fnox-core` crate split makes fnox usable as a library for other tools without dragging the CLI/TUI/MCP surface

The default developer path materializes secrets into env vars or shell state, even after POSIX-safe shell hardening

The MCP surface can return raw secret values, and the repo scanner is still a placeholder

Infisical Agent Vault MIT Expat for non-ee code; enterprise features reserved for ee/ Infisical license

MITM-only ingress with WebSocket transparency tightens the network coverage story

The `run` agent mode gives Agent Vault a real path for unattended and containerized deploys

v0.15 flipped the default to passthrough for unmatched hosts. Adoption is smoother, fail-closed posture is weaker

It is strongest for HTTP/WebSocket. Repo leak prevention and non-HTTP command/file delivery are weaker

Tailscale Aperture Proprietary managed service

Much stronger hosted identity, attribution, and centralized AI usage reporting

Full request/response capture, tool-use logging, and SIEM/S3 export

It is a managed beta tied to Tailscale identity and network assumptions

It does not give you a local vault, offline workflow, or repo leak guardrails

Agent Cookie MIT

Much stronger browser and CLI session continuity for a second Mac or headless agent machine

MIT license and public Go implementation

It makes existing sessions available on an agent Mac, so compatibility can mean cookies, sidecars, env files, or adapter blobs

It does not give you a local vault, repo leak guardrails, or explicit per-use grants

Docker Secrets Engine Apache-2.0

Cleaner value-free pointer UX through `se://` references in Docker, Compose, and env-wrapper workflows

Broader provider and plugin architecture with public Go SDKs

The resolver path returns plaintext bytes to clients, and `docker pass run` materializes values into child-process env

`se://` references improve Docker and Compose config hygiene, but they are not per-use grants or repo leak guardrails

Tier 02 · capability matrix

Capability	HASP	Kontext CLI	OneCLI	fnox	Infisical Agent Vault	Tailscale Aperture	Agent Cookie	Docker Secrets Engine
Local encrypted vault as primary secret store	Yes	No	No	Partial	Yes	No	No	Partial
Hosted identity and org attribution	No	Yes	Optional	Provider-specific only	Local users/session roles; Infisical ecosystem path exists but Agent Vault is local-first today	Yes	No	No
Short-lived credential exchange from managed providers	No	Yes	Partial	Yes	Scoped vault sessions for proxy access	No	No	Partial
Brokered execution that keeps secret values out of agent-visible output	Yes	No	Partial	Partial	Yes, for HTTP(S) traffic via proxy	Partial	No	No
Direct env injection into agent process	Convenience-only	Yes	No	Yes	Proxy and CA env injection, not raw provider secrets	No	Yes	Yes
Explicit once/session/window grants	Yes	No	Policy approvals only	No	Vault roles plus proposal approval	Identity grants and quotas	Partial	No
Repo leak scan and block-by-default hook/deploy path	Yes	No	No	No	No	No	No	No
Audited override for blocked repo leaks	Yes	No	No	No	No repo-guardrail override model	No	No	No
Agent-assisted secret capture into managed storage	Yes	No	No	No	Yes, via proposal/request workflow and vault credential management	No	No	No
Local encrypted backup and restore	Yes	No	No	Config/provider-based	Not surfaced as a primary CLI feature in reviewed docs	No	No	Partial
Hosted dashboard / centralized session telemetry	No	Yes	Yes	No	Local web dashboard; Infisical commercial path exists	Yes	No	No
Meaningful local/offline use without remote control plane	Strong	Weak	Moderate	Strong when local/encrypted providers are configured	Strong local/self-host path	Weak	Partial	Strong

More machinery can be worth it for teams. It is friction for a local agent workflow.

One signed binary. One encrypted file. That is the whole product surface.

Source-available. SBOM, SLSA provenance, code-signing status, and reproducible-build sidecar ship inside the release artifact. scripts/hasp-verify-release.sh verifies the signed checksum manifest plus the tarball and binary signatures before install.

Homebrew

$ brew tap gethasp/tap
$ brew install gethasp/tap/hasp
$ hasp setup
$ hasp app connect myapp
$ hasp proof

→ ok proof passed · 412ms
→ ok vault unlocked · binding ./api
→ ok agent never read

From source

$ git clone https://github.com/gethasp/hasp
$ cd hasp
$ make build
$ ./bin/hasp setup
$ ./bin/hasp proof

→ ok binary built from source
→ ok vault initialized
→ ok proof passed

Install script

$ curl -fsSL https://gethasp.com/install.sh | sh
==> Checking installer prerequisites
==> Downloading release artifacts
==> Verifying release checksums and signatures
installed hasp to ~/.local/bin/hasp
version: 1.0.36
Start hasp setup now? [Y/n] y
$ hasp app connect myapp
$ hasp proof

→ ok hasp installed on PATH
→ ok vault unlocked · binding ./api
→ ok agent never read