Initial release: MCP server for credential isolation in LLM agents

- Encrypted store (AES-256-GCM, per-credential IV, scrypt key derivation)
- 4 MCP tools: vault_login, vault_api_request, vault_list, vault_status
- Browser login via Chrome CDP (Playwright connectOverCDP)
- CLI: add, list, remove, audit, dashboard, serve
- Web dashboard on localhost:9900 (self-contained HTML)
- Audit log with SHA-256 hash chain (tamper detection)
- 29 tests including credential sanitization verification
- CI: GitHub Actions (Node 20 + 22)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kobzevvv

.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [20, 22]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm test
+        env:
+          VAULT_MASTER_KEY: ci-test-key

.gitignore

@@ -0,0 +1,7 @@
+node_modules/
+dist/
+*.js.map
+.DS_Store
+*.db
+*.jsonl
+.env

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ChillAI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,116 @@
+# Vault MCP
+
+MCP server for credential isolation in LLM agents. Your bot uses passwords and API keys — but never sees them in its context window.
+
+```
+                    Claude Code
+                        |
+                   vault_login("github")
+                        |
+                   Vault MCP Server
+                   /            \
+         Encrypted Store     Chrome CDP
+         (AES-256-GCM)      (fill form)
+                                |
+                          github.com ✓
+                                |
+                   → { status: "success", page_title: "Dashboard" }
+                   (password never in LLM context)
+```
+
+## Quickstart
+
+```bash
+# 1. Clone and build
+git clone https://github.com/chillai-space/vault-mcp.git
+cd vault-mcp
+npm install
+npm run build
+
+# 2. Add a credential
+node dist/index.js add --site github --email you@example.com --url https://github.com/login
+
+# 3. Register with Claude Code
+claude mcp add -s user vault -- node ~/path/to/vault-mcp/dist/index.js
+
+# 4. Use in Claude Code session
+# "Log me into GitHub" → Claude calls vault_login("github")
+# → Chrome fills the form, Claude gets { status: "success" }
+# → Password never appears in conversation
+```
+
+## MCP Tools
+
+| Tool | Description |
+|------|-------------|
+| `vault_login(site_id)` | Log into a website via Chrome CDP. Returns only status. |
+| `vault_api_request(service, url, ...)` | Make API request with stored credentials injected. |
+| `vault_list()` | List all credentials (no secrets shown). |
+| `vault_status(site_id)` | Check credential status, last used, audit count. |
+
+## CLI Commands
+
+```bash
+vault-mcp add                        # Interactive: add credential
+vault-mcp add --site X --email Y     # Semi-interactive (password prompted)
+vault-mcp list                       # List credentials (no secrets)
+vault-mcp remove <site_id>           # Remove credential
+vault-mcp audit [site_id]            # View audit log
+vault-mcp dashboard                  # Web UI on localhost:9900
+vault-mcp serve                      # Start MCP server (stdio, for debugging)
+```
+
+## Configuration
+
+| Env Variable | Default | Description |
+|-------------|---------|-------------|
+| `VAULT_MASTER_KEY` | (auto-generated) | Master encryption key. If not set, a random key is generated at `~/.vault-mcp/.master-key` |
+| `VAULT_CDP_URL` | `http://localhost:9222` | Chrome DevTools Protocol endpoint |
+
+### Claude Code registration with env vars
+
+```bash
+claude mcp add -s user vault \
+  -e VAULT_MASTER_KEY=my-secret-key \
+  -e VAULT_CDP_URL=ws://localhost:9222 \
+  -- node ~/path/to/vault-mcp/dist/index.js
+```
+
+## Storage
+
+All data is stored in `~/.vault-mcp/`:
+
+| File | Description |
+|------|-------------|
+| `credentials.json` | Encrypted credentials (AES-256-GCM) |
+| `audit.jsonl` | Append-only audit log with SHA-256 hash chain |
+| `.master-key` | Auto-generated master key (if no env var) |
+
+## Testing
+
+```bash
+npm test          # Run all tests
+npm run test:watch # Watch mode
+```
+
+### Manual verification
+
+```bash
+# 1. Add credential and verify isolation
+vault-mcp add --site test --email test@test.com
+vault-mcp list  # → password NOT shown
+
+# 2. Test with MCP Inspector
+npx @modelcontextprotocol/inspector dist/index.js
+# → Call vault_list, vault_status — verify no secrets in responses
+
+# 3. In Claude Code: vault_login → verify no password in conversation
+```
+
+## Security
+
+See [SECURITY.md](SECURITY.md) for threat model and encryption details.
+
+## License
+
+MIT

SECURITY.md

@@ -0,0 +1,51 @@
+# Security
+
+## Threat Model
+
+### What Vault MCP protects against
+
+- **LLM context leakage**: Credentials never appear in the LLM's context window, conversation history, or tool responses
+- **Accidental exposure**: Passwords are stored encrypted at rest, not in plaintext config files
+- **Audit trail tampering**: SHA-256 hash chain ensures any modification to the audit log is detectable
+- **Unauthorized use**: Credentials can be toggled active/inactive, and every use is logged
+
+### What Vault MCP does NOT protect against
+
+- **Compromised host machine**: If an attacker has root access, they can read memory, intercept CDP, or extract the master key
+- **Malicious MCP client**: A compromised Claude Code instance could call `vault_login` for any stored credential
+- **Browser-level attacks**: Vault fills forms via CDP — the credentials exist briefly in Chrome's memory
+- **Network MITM**: Vault doesn't control the TLS connection to target sites
+
+## Encryption Details
+
+| Property | Value |
+|----------|-------|
+| Algorithm | AES-256-GCM |
+| Key derivation | scrypt (from `VAULT_MASTER_KEY` env var) |
+| IV | 16 bytes, random per credential |
+| Auth tag | 16 bytes (GCM integrity) |
+| Storage format | `base64(IV + ciphertext + authTag)` |
+
+Each credential is encrypted independently with a unique random IV. Modifying any byte of the ciphertext will cause decryption to fail (GCM authenticated encryption).
+
+## Audit Log Integrity
+
+The audit log (`~/.vault-mcp/audit.jsonl`) uses a SHA-256 hash chain:
+
+```
+Entry 1: hash = SHA-256("genesis" + JSON(entry))
+Entry 2: hash = SHA-256(entry1.hash + JSON(entry))
+Entry N: hash = SHA-256(entryN-1.hash + JSON(entry))
+```
+
+Modifying or deleting any entry breaks the chain. Verify integrity:
+
+```bash
+vault-mcp audit  # Shows chain status at the bottom
+```
+
+## Responsible Disclosure
+
+If you find a security vulnerability, please report it via GitHub Issues with the `security` label, or email the maintainers directly. We will respond within 48 hours.
+
+Please do **not** open public issues for active exploits.