# VaultKeeper > Secure secrets and policy management for AI agents. Provides tools to interact with the VaultKeeper daemon via the Control Plane API. - Author: Brady Simmons - Repository: sovfound/vault-keeper - Version: 20260205234846 - Stars: 0 - Forks: 0 - Last Updated: 2026-02-06 - Source: https://github.com/sovfound/vault-keeper - Web: https://mule.run/skillshub/@@sovfound/vault-keeper~VaultKeeper:20260205234846 --- --- name: VaultKeeper description: Secure secrets and policy management for AI agents. Provides tools to interact with the VaultKeeper daemon via the Control Plane API. --- # VaultKeeper Skill This skill provides tools for secure secrets management, session control, and policy enforcement through the VaultKeeper system. ## Architecture ``` User (You) → VaultKeeper Skills → Control Plane (localhost:3100) → VK Daemon → macOS Keychain ``` All secrets are stored in the macOS Keychain. The VK Daemon enforces policies and issues capability tokens. The Control Plane provides an HTTP API that these skills call. ## Prerequisites 1. VK Daemon must be running: `vk daemon` 2. Control Plane must be running: `vk-control-plane` 3. Control Plane available at `http://127.0.0.1:3100` ## Available Tools ### Session Management | Tool | Description | Script | |------|-------------|--------| | `vk_status` | Get vault status (locked/unlocked, TTL, health) | `scripts/vk_status.ts` | | `vk_unlock` | Unlock the vault for a duration | `scripts/vk_unlock.ts` | | `vk_lock` | Lock the vault immediately | `scripts/vk_lock.ts` | ### Secrets Management | Tool | Description | Script | |------|-------------|--------| | `vk_secrets_list` | List stored secrets (names only) | `scripts/vk_secrets_list.ts` | | `vk_secrets_import` | Import a new secret | `scripts/vk_secrets_import.ts` | | `vk_secrets_rotate` | Rotate an existing secret | `scripts/vk_secrets_rotate.ts` | | `vk_secrets_delete` | Delete a secret | `scripts/vk_secrets_delete.ts` | ### Approvals | Tool | Description | Script | |------|-------------|--------| | `vk_approvals_pending` | List pending approval requests | `scripts/vk_approvals_pending.ts` | | `vk_approve` | Approve a request | `scripts/vk_approve.ts` | | `vk_deny` | Deny a request | `scripts/vk_deny.ts` | ### Agents & Runs | Tool | Description | Script | |------|-------------|--------| | `vk_agents_list` | List registered agents | `scripts/vk_agents_list.ts` | | `vk_runs_list` | List recent runs | `scripts/vk_runs_list.ts` | | `vk_run_start` | Start a new run | `scripts/vk_run_start.ts` | | `vk_run_stop` | Stop a running run | `scripts/vk_run_stop.ts` | ### Policy | Tool | Description | Script | |------|-------------|--------| | `vk_policy_get` | Get an agent's policy | `scripts/vk_policy_get.ts` | | `vk_policy_update` | Update an agent's policy | `scripts/vk_policy_update.ts` | ### Commands | Tool | Description | Script | |------|-------------|--------| | `vk_commands_list` | List available commands | `scripts/vk_commands_list.ts` | | `vk_command_execute` | Execute a command by ID | `scripts/vk_command_execute.ts` | ## Security Notes - **Never reveal secret values** - Only show names and metadata - **All actions are audited** - Check `~/.vault-keeper/audit.jsonl` - **Short TTLs are preferred** - Default unlock is 8 hours - **Policies enforce access** - Agents only get approved capabilities ## Usage Examples ### Check vault status ```typescript const status = await vk_status(); // Returns: { ok: true, daemon: {...}, session: { locked: false, ttlRemaining: 28800 } } ``` ### List secrets ```typescript const secrets = await vk_secrets_list(); // Returns: { secrets: [{ name: "OPENAI_KEY", lastRotatedAt: 1706..., rotationDue: false }] } ``` ### Approve a request ```typescript const result = await vk_approve("approval_123456"); // Returns: { success: true, approval: {...}, token: {...} } ```