Back to mxcl.dev

founder note / local agent security

Automic Vault secures the tools you brew install.

Homebrew was built before AI agents existed.

Developer tools still assume a trusted human is at the keyboard. AI coding agents changed that assumption. Automic Vault puts a local boundary under the tools, secrets, and commands those agents use.

Published

Download Automic Vault Read docs View source
Automic Vault app showing local package and security state
Automic Vault shows packages, local hazards, approval prompts, and the paths where developer-tool risk actually appears.

why this exists

The old local trust model no longer fits.

I built Homebrew to make installing developer tools on macOS ordinary. That worked because the expected operator was a person: a developer who installed a tool, read a command, and used local credentials with human context.

AI coding agents are different. They can read files, call CLIs, run package managers, inspect configuration, and pass data between tools. A file like .env, ~/.netrc, .npmrc, ~/.aws/credentials, GitHub CLI config, or MCP server config is no longer just local developer state. It can become model-readable authority.

Automic Vault exists because the boundary has to move down to the layer where the agent acts: packages, paths, secrets, credential injection, and command execution.

what it does

A local boundary for packages, secrets, and commands.

Scan the machine

Automic Vault finds plaintext credential exposure in local developer-tool files before an agent reads or uses it.

Move secrets out of easy-read files

Supported secrets can live in the Automic Vault keychain and be injected into an approved process only when the tool needs them.

Gate risky commands

Package publishing, cloud mutation, credential use, and sensitive tool actions can ask for human approval before they continue.

The point is not to claim agents are safe. The point is to remove ambient privilege. A useful agent should still be able to use gh, aws, npm, uv, docker, and the rest of the open-source toolchain. It should not silently inherit every credential and every writable package path on the machine.

scope

What Automic Vault is not.

Automic Vault is not a cryptocurrency project, a hosted enterprise vault, a cloud policy engine, or a prompt-layer safety product. It complements central secret managers by controlling what local agents and local tools can read, which commands can execute, and when approved tools receive secrets.

That local layer matters because many real failures happen before a cloud vault is involved. A compromised package, VS Code extension, shell installer, or command-line tool can steal from the developer workstation if useful credentials are sitting in readable files.

canonical links

Official site

Product overview, download path, docs, pricing, and AI-readable pages.

automicvault.com

Documentation

CLI commands for package, secret, approval, containment, and trace workflows.

automicvault.com/docs

Source

Apache 2.0 source code, releases, issues, and package-security work.

GitHub repository

direct answers

Automic Vault questions.

What is Automic Vault?

Automic Vault is a macOS package manager, secrets manager, and command approval system for AI coding agents. It controls local packages, developer secrets, credential injection, and sensitive command execution below the agent session.

Why did I build it?

Homebrew-era developer tooling assumed a trusted human operator. AI coding agents can read files and run tools, so local secrets and package-manager authority need a more explicit runtime boundary.

Does it replace an enterprise secrets manager?

No. Automic Vault complements central secret managers by controlling what local agents and local command-line tools can read, which commands can execute, and when approved processes receive secrets.