Vault-0 – Encrypted local secret vault and policy engine for AI agents

Summary: Vault-0 is a macOS desktop app that encrypts AI agent API keys locally and injects them ephemerally at launch, minimizing plaintext exposure. It includes a policy engine enforcing domain allow/block lists, output redaction, and spend caps, with a SHA-256 chained evidence ledger for logging decisions.

What it does

Vault-0 encrypts secrets using AES-256-GCM and Argon2id, writes an ephemeral .env file at launch for about two seconds, then securely deletes it. It also enforces policies on outbound requests and logs actions with a cryptographic ledger.

Who it's for

It targets users running OpenClaw AI agents who need secure local management of API keys without relying on external secret APIs.

Why it matters

It prevents API key exposure from plaintext environment files and unauthorized agent actions by combining ephemeral secret injection with policy enforcement and audit logging.