Enigmagent Mcp

2authSTDIOregistry active

Summary

Keeps your API keys out of LLM context by storing them in a local AES-256-GCM vault and resolving placeholders like {{OPENAI_KEY}} at the MCP boundary. Exposes two tools: enigmagent_resolve to decrypt secrets and enigmagent_list to show what's stored. Every secret is pinned to a domain, so the resolver only returns values when the origin matches. Works with Claude Desktop, Cursor, Continue.dev, Cline, and anything else that speaks MCP over stdio. Also runs in REST mode if you need it behind a proxy. Reach for this when you're building agents that call third-party APIs and you don't want tokens living in chat logs or conversation history.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

enigmagent-mcp

Local encrypted vault MCP server. Your LLM types {{OPENAI_KEY}}. The real value never reaches the model — not in prompts, not in logs, not in conversation history.

npx enigmagent-mcp --vault ./my.vault.json

That's the entire install. Works with Claude Desktop, Cursor, Continue.dev, Cline, Open WebUI, AnythingLLM, LM Studio, Zed, and anything else that speaks MCP.

⭐ Star this repo if you've ever pasted a token you regretted.

The 30-second pitch

You ask Claude to call your GitHub API. Claude needs GITHUB_TOKEN. Three options that all suck:

Paste it in the chat → it lives in the provider's logs forever
Put it in env vars → it leaks the moment Claude reads .env while debugging
Skip the agent → you lose the whole point

Option 4: type {{GITHUB_TOKEN}} in the prompt. EnigmAgent intercepts at the MCP boundary, decrypts locally with AES-256-GCM, and returns the real token only when the requesting origin matches the secret's bound domain. The model literally never has the value.

Setup per client

Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/absolute/path/to/my.vault.json"]
    }
  }
}

Restart Claude. Two new tools appear: enigmagent_resolve and enigmagent_list.

Cursor

~/.cursor/mcp.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Continue.dev

~/.continue/config.yaml:

mcpServers:
  - name: enigmagent
    command: npx
    args: ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]

Cline (VS Code)

cline_mcp_settings.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Open WebUI

# uses mcpo (https://github.com/open-webui/mcpo) as bridge
mcpo --port 8000 -- npx enigmagent-mcp --vault /abs/path/my.vault.json

Custom REST integration

npx enigmagent-mcp --mode rest --port 3737 --vault /abs/path/my.vault.json

Then POST /resolve with {"placeholder": "OPENAI_KEY", "origin": "https://api.openai.com"} returns the decrypted value (only when the origin matches the secret's bound domain).

CI / headless mode

Skip the interactive password prompt with env vars (only do this in trusted environments):

ENIGMAGENT_USER=alice ENIGMAGENT_PASS=… npx enigmagent-mcp --vault ./my.vault.json

Without these, the server starts in locked mode if there's no TTY — useful behind mcp-proxy and similar wrappers.

MCP tools exposed

Tool	Description
`enigmagent_resolve`	Resolve a placeholder to its vault value. Domain binding enforced — the requesting `origin` must match the secret's bound domain
`enigmagent_list`	List secret names + their bound domains. Never returns values

// example tool call
{
  "name": "enigmagent_resolve",
  "arguments": {
    "placeholder": "GITHUB_TOKEN",
    "origin": "https://api.github.com"
  }
}
// → returns the decrypted token string

How it works

LLM emits tool call:  fetch({headers: {Authorization: "Bearer {{OPENAI_KEY}}"}})
                                                              │
                                              ┌───────────────▼───────────────┐
                                              │  enigmagent-mcp (this server) │
                                              │  • match placeholder name     │
                                              │  • check origin == bound dom. │
                                              │  • decrypt with AES-256-GCM   │
                                              └───────────────┬───────────────┘
                                                              │  real token
                                                              ▼
                                                    HTTPS to api.openai.com

The plaintext value exists in process memory for one event-loop tick. Never logged, never in stdout, never visible to the model.

Security model

Layer	Implementation
KDF	Argon2id (m=64 MiB, t=3, p=1) — `@noble/hashes@1.4.0`, bundled
Encryption	AES-256-GCM, 96-bit nonce per entry
Domain binding	Every secret pinned to a domain; resolver rejects mismatched origins
Master key	Lives in process memory only — never written to disk
Vault file	Encrypted JSON, plaintext never persisted

What it does not protect against: a compromised process reading session memory, a malicious MCP server you've connected to with permission to call enigmagent_resolve, side-channels (timing, swap, core dumps). Full threat model: docs/THREAT_MODEL.md.

Full ecosystem

This repo is the MCP server alone. The full EnigmAgent project includes:

Browser extension (Chrome/Firefox/Edge) for credentials inside web forms
Python SDK for LangChain / LlamaIndex / CrewAI
REST + stdio dual-mode API
Domain-bound document injection ({{DOC:filename}})

Main repository: https://github.com/Agnuxo1/EnigmAgent

EnigmAgent is part of the OpenCLAW / P2PCLAW ecosystem of privacy-preserving local AI tooling — a multi-agent scientific research network where dozens of LLM agents need credentials and none of them should have them.

License

MIT — see LICENSE.

Contributing

Pull requests welcome. Security disclosures: see SECURITY.md in the main repo.

— Francisco Angulo de Lafuente

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Configuration

VAULT_PASSWORDsecret

Master password used to decrypt the local EnigmAgent vault (AES-256-GCM + Argon2id).

VAULT_PATH

Path to the vault.json file (default: ./vault.json).

Registryactive

Packageenigmagent-mcp

TransportSTDIO

AuthRequired

UpdatedApr 25, 2026

View on GitHub

enigmagent-mcp

Local encrypted vault MCP server. Your LLM types {{OPENAI_KEY}}. The real value never reaches the model — not in prompts, not in logs, not in conversation history.

npx enigmagent-mcp --vault ./my.vault.json

That's the entire install. Works with Claude Desktop, Cursor, Continue.dev, Cline, Open WebUI, AnythingLLM, LM Studio, Zed, and anything else that speaks MCP.

⭐ Star this repo if you've ever pasted a token you regretted.

The 30-second pitch

You ask Claude to call your GitHub API. Claude needs GITHUB_TOKEN. Three options that all suck:

Paste it in the chat → it lives in the provider's logs forever
Put it in env vars → it leaks the moment Claude reads .env while debugging
Skip the agent → you lose the whole point

Setup per client

Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/absolute/path/to/my.vault.json"]
    }
  }
}

Restart Claude. Two new tools appear: enigmagent_resolve and enigmagent_list.

Cursor

~/.cursor/mcp.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Continue.dev

~/.continue/config.yaml:

mcpServers:
  - name: enigmagent
    command: npx
    args: ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]

Cline (VS Code)

cline_mcp_settings.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Open WebUI

# uses mcpo (https://github.com/open-webui/mcpo) as bridge
mcpo --port 8000 -- npx enigmagent-mcp --vault /abs/path/my.vault.json

Custom REST integration

npx enigmagent-mcp --mode rest --port 3737 --vault /abs/path/my.vault.json

Then POST /resolve with {"placeholder": "OPENAI_KEY", "origin": "https://api.openai.com"} returns the decrypted value (only when the origin matches the secret's bound domain).

CI / headless mode

Skip the interactive password prompt with env vars (only do this in trusted environments):

ENIGMAGENT_USER=alice ENIGMAGENT_PASS=… npx enigmagent-mcp --vault ./my.vault.json

Without these, the server starts in locked mode if there's no TTY — useful behind mcp-proxy and similar wrappers.

MCP tools exposed

Tool	Description
`enigmagent_resolve`	Resolve a placeholder to its vault value. Domain binding enforced — the requesting `origin` must match the secret's bound domain
`enigmagent_list`	List secret names + their bound domains. Never returns values

// example tool call
{
  "name": "enigmagent_resolve",
  "arguments": {
    "placeholder": "GITHUB_TOKEN",
    "origin": "https://api.github.com"
  }
}
// → returns the decrypted token string

How it works

LLM emits tool call:  fetch({headers: {Authorization: "Bearer {{OPENAI_KEY}}"}})
                                                              │
                                              ┌───────────────▼───────────────┐
                                              │  enigmagent-mcp (this server) │
                                              │  • match placeholder name     │
                                              │  • check origin == bound dom. │
                                              │  • decrypt with AES-256-GCM   │
                                              └───────────────┬───────────────┘
                                                              │  real token
                                                              ▼
                                                    HTTPS to api.openai.com

The plaintext value exists in process memory for one event-loop tick. Never logged, never in stdout, never visible to the model.

Security model

Layer	Implementation
KDF	Argon2id (m=64 MiB, t=3, p=1) — `@noble/hashes@1.4.0`, bundled
Encryption	AES-256-GCM, 96-bit nonce per entry
Domain binding	Every secret pinned to a domain; resolver rejects mismatched origins
Master key	Lives in process memory only — never written to disk
Vault file	Encrypted JSON, plaintext never persisted

Full ecosystem

This repo is the MCP server alone. The full EnigmAgent project includes:

Browser extension (Chrome/Firefox/Edge) for credentials inside web forms
Python SDK for LangChain / LlamaIndex / CrewAI
REST + stdio dual-mode API
Domain-bound document injection ({{DOC:filename}})

Main repository: https://github.com/Agnuxo1/EnigmAgent

License

MIT — see LICENSE.

Contributing

Pull requests welcome. Security disclosures: see SECURITY.md in the main repo.

— Francisco Angulo de Lafuente