# roco-secrets-manager

> Secure secret storage via Tailscale-only web UI. Never paste secrets in chat again.

- Author: Bender (Ronan's Agent)
- Repository: RonanCodes/roco-skills
- Version: 20260125151244
- Stars: 0
- Forks: 0
- Last Updated: 2026-02-06
- Source: https://github.com/RonanCodes/roco-skills
- Web: https://mule.run/skillshub/@@RonanCodes/roco-skills~roco-secrets-manager:20260125151244

---

---
name: roco-secrets-manager
description: Secure secret storage via Tailscale-only web UI. Never paste secrets in chat again.
version: 1.0.0
author: RonanCodes
homepage: https://github.com/RonanCodes/roco-skills
repository: https://github.com/RonanCodes/roco-skills
tags:
  - security
  - secrets
  - utility
  - tailscale
license: MIT
---

# Secrets Manager

A tiny web UI for securely passing secrets to your agent. Runs on Tailscale only — no public exposure.

## Why?

Pasting secrets in chat is sketchy:
- Chat history stores them
- Third parties (Telegram, etc.) see them
- Hard to rotate

This skill gives you a private web form that writes directly to a local secrets file.

## How It Works

```
You (browser) → Tailscale → Agent server → ~/.secrets.json
                   ↑
            Only your devices
```

## Quick Start

**1. Start the server:**
```bash
cd /path/to/roco-secrets-manager
bun run scripts/server.ts
```

**2. Open in browser:**
```
http://localhost:3333
# Or via Tailscale: http://your-machine:3333
```

**3. Add secrets via the form**

**4. Agent reads from `~/.secrets.json`**

## Usage

### Starting the Server

```bash
# Default port 3333
bun run scripts/server.ts

# Custom port
PORT=4000 bun run scripts/server.ts
```

### Accessing Secrets (Agent)

```typescript
import { readFileSync } from 'fs';
import { homedir } from 'os';

const secrets = JSON.parse(
  readFileSync(`${homedir()}/.secrets.json`, 'utf-8')
);

const cloudflareToken = secrets.cloudflare;
```

Or in bash:
```bash
cat ~/.secrets.json | jq -r '.cloudflare'
```

### Secrets File Format

```json
{
  "cloudflare": "your-api-token",
  "github": "ghp_xxxxxxxxxxxx",
  "openai": "sk-xxxxxxxxxxxxxxxx"
}
```

## Security Notes

1. **Tailscale-only by default** — Server binds to `0.0.0.0` but only Tailscale devices can reach it (if firewall is configured)

2. **No auth** — Anyone on your tailnet can add secrets. That's probably just you.

3. **File permissions** — Secrets file is created with `600` (owner read/write only)

4. **Don't commit** — Add `~/.secrets.json` to global gitignore

## Hardening (Optional)

Add a PIN for extra paranoia:

```bash
SECRET_PIN=1234 bun run scripts/server.ts
```

Users must enter the PIN to save secrets.

## Troubleshooting

**Port in use:**
```bash
lsof -i :3333
kill -9 <PID>
```

**Can't access from other device:**
- Check Tailscale is connected on both devices
- Verify with `tailscale status`

**Secrets file not found:**
- Server creates it on first save
- Check `~/.secrets.json` exists