Start

Overview

What HASP is, what ships in the public repo, and what the local broker does.

HASP is a local secret broker for coding agents.

Agents need credentials to run tests, call APIs, and deploy code. Copying those credentials into prompts, shell history, .env files, or repo-local notes makes the agent faster today and harder to trust tomorrow. HASP keeps secrets in a local encrypted vault and gives commands only the values they are allowed to use at runtime.

The core rule is:

Managed secret values must not enter agent context.

Install

Use Homebrew for normal installs on macOS and Linux:

brew tap gethasp/homebrew-tap
brew install hasp
hasp version

Then run the guided setup:

hasp setup

For source builds:

make build
bin/hasp version

See install.md for packaged release verification, upgrades, and uninstall steps.

First proof

Add a secret, connect a project, and run a command through the broker:

hasp secret add
hasp app connect
hasp app run -- sh -c 'test -n "$API_TOKEN"'

For the full first-run path, start with QUICKSTART.md. For the operating model behind vaults, grants, bindings, and agent profiles, read mental-model.md.

What HASP does

stores managed secrets in a local encrypted vault
brokers secret access to commands and agent tooling
supports run, inject, MCP, and app connection flows
materializes plaintext only when an operator asks for that tradeoff
installs repo hooks that block managed secrets from commits and deploy paths
keeps audit records for brokered secret use

HASP is local-first. It does not require a hosted control plane for v1.

Repo layout

.|-- apps/server/        # Go module for the hasp CLI and local broker|-- docs/               # Public product and operator docs|-- scripts/            # Public build, test, install, release, and verification helpers|-- Makefile            # Common local and CI entry points`-- QUICKSTART.md       # Shortest path to a working local install

The Go code lives in apps/server because the released module path is github.com/gethasp/hasp/apps/server. Keeping that path stable avoids breaking imports, release scripts, Homebrew packaging, and downstream source builds.

Development

Use the root Makefile for normal local work:

make build
make test
make lint
make verify-ci

The server module has the same focused targets under apps/server:

make -C apps/server test
make -C apps/server coverage

Script details are in scripts/README.md. Server internals are in apps/server/README.md.

Docs

install.md covers Homebrew and packaged releases.
after-homebrew.md covers first setup after install.
command-guide.md maps jobs to commands.
cli-reference.md lists generated command help.
operator-guide.md covers day-to-day operations.
value-free-manifests.md explains safe manifests.
agent profiles cover Codex, Claude Code, Cursor, Aider, and generic agent flows.

The full docs index is docs/README.md.

Security

Report security issues through SECURITY.md. Please do not open a public issue for a suspected vulnerability.

License

HASP is source-available under the Fair Core License. See LICENSE.