Skip to main content
Glama
deenesjakoruzh
Agnuxo1

enigmagent-mcp

by Agnuxo1
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Local

enigmagent-mcp

npm version npm downloads License: MIT Crypto Glama MCP GitHub stars

Local encrypted vault MCP server. Your LLM types {{OPENAI_KEY}}. The real value never reaches the model — not in prompts, not in logs, not in conversation history.

npx enigmagent-mcp --vault ./my.vault.json

That's the entire install. Works with Claude Desktop, Cursor, Continue.dev, Cline, Open WebUI, AnythingLLM, LM Studio, Zed, and anything else that speaks MCP.

Star this repo if you've ever pasted a token you regretted.

The 30-second pitch

You ask Claude to call your GitHub API. Claude needs GITHUB_TOKEN. Three options that all suck:

  1. Paste it in the chat → it lives in the provider's logs forever

  2. Put it in env vars → it leaks the moment Claude reads .env while debugging

  3. Skip the agent → you lose the whole point

Option 4: type {{GITHUB_TOKEN}} in the prompt. EnigmAgent intercepts at the MCP boundary, decrypts locally with AES-256-GCM, and returns the real token only when the requesting origin matches the secret's bound domain. The model literally never has the value.

Setup per client

Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/absolute/path/to/my.vault.json"]
    }
  }
}

Restart Claude. Two new tools appear: enigmagent_resolve and enigmagent_list.

Cursor

~/.cursor/mcp.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Continue.dev

~/.continue/config.yaml:

mcpServers:
  - name: enigmagent
    command: npx
    args: ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]

Cline (VS Code)

cline_mcp_settings.json:

{
  "mcpServers": {
    "enigmagent": {
      "command": "npx",
      "args": ["-y", "enigmagent-mcp", "--vault", "/abs/path/my.vault.json"]
    }
  }
}

Open WebUI

# uses mcpo (https://github.com/open-webui/mcpo) as bridge
mcpo --port 8000 -- npx enigmagent-mcp --vault /abs/path/my.vault.json

Custom REST integration

npx enigmagent-mcp --mode rest --port 3737 --vault /abs/path/my.vault.json

Then POST /resolve with {"placeholder": "OPENAI_KEY", "origin": "https://api.openai.com"} returns the decrypted value (only when the origin matches the secret's bound domain).

CI / headless mode

Skip the interactive password prompt with env vars (only do this in trusted environments):

ENIGMAGENT_USER=alice ENIGMAGENT_PASS=… npx enigmagent-mcp --vault ./my.vault.json

Without these, the server starts in locked mode if there's no TTY — useful behind mcp-proxy and similar wrappers.

MCP tools exposed

Tool

Description

enigmagent_resolve

Resolve a placeholder to its vault value. Domain binding enforced — the requesting origin must match the secret's bound domain

enigmagent_list

List secret names + their bound domains. Never returns values

// example tool call
{
  "name": "enigmagent_resolve",
  "arguments": {
    "placeholder": "GITHUB_TOKEN",
    "origin": "https://api.github.com"
  }
}
// → returns the decrypted token string

How it works

LLM emits tool call:  fetch({headers: {Authorization: "Bearer {{OPENAI_KEY}}"}})
                                                              │
                                              ┌───────────────▼───────────────┐
                                              │  enigmagent-mcp (this server) │
                                              │  • match placeholder name     │
                                              │  • check origin == bound dom. │
                                              │  • decrypt with AES-256-GCM   │
                                              └───────────────┬───────────────┘
                                                              │  real token
                                                              ▼
                                                    HTTPS to api.openai.com

The plaintext value exists in process memory for one event-loop tick. Never logged, never in stdout, never visible to the model.

Security model

Layer

Implementation

KDF

Argon2id (m=64 MiB, t=3, p=1) — @noble/hashes@1.4.0, bundled

Encryption

AES-256-GCM, 96-bit nonce per entry

Domain binding

Every secret pinned to a domain; resolver rejects mismatched origins

Master key

Lives in process memory only — never written to disk

Vault file

Encrypted JSON, plaintext never persisted

What it does not protect against: a compromised process reading session memory, a malicious MCP server you've connected to with permission to call enigmagent_resolve, side-channels (timing, swap, core dumps). Full threat model: docs/THREAT_MODEL.md.

Full ecosystem

This repo is the MCP server alone. The full EnigmAgent project includes:

  • Browser extension (Chrome/Firefox/Edge) for credentials inside web forms

  • Python SDK for LangChain / LlamaIndex / CrewAI

  • REST + stdio dual-mode API

  • Domain-bound document injection ({{DOC:filename}})

Main repository: https://github.com/Agnuxo1/EnigmAgent

EnigmAgent is part of the OpenCLAW / P2PCLAW ecosystem of privacy-preserving local AI tooling — a multi-agent scientific research network where dozens of LLM agents need credentials and none of them should have them.

License

MIT — see LICENSE.

Contributing

Pull requests welcome. Security disclosures: see SECURITY.md in the main repo.

Francisco Angulo de Lafuente

Install Server
A
license - permissive license
A
quality
C
maintenance

How are these scores calculated?

Resources

Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Agnuxo1/enigmagent-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server