npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@baselineos/vault

v1.6.3

Published

BaselineOS Credential Vault — encrypted, scoped, auditable credential management

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

gtcx-protocolgtcx-protocol

Keywords

Readme

@baselineos/vault — Credential Vault

Encrypted, scoped, auditable credential management for AI agents.

What It Does

The Vault ensures credentials are never exposed in plaintext, never scattered across repos, and always audited:

  • AES-256-GCM encryption at rest with per-credential IV, AAD binding, and legacy CBC migration
  • Scoped access — per-agent, per-workflow, per-role credential boundaries
  • Trust-score gating — low-trust agents cannot access high-sensitivity credentials
  • Opaque leases — Agents receive lease IDs, never raw values
  • Audit trail — Every access (granted or denied) logged to SQLite
  • Health monitoring — Expired, unused, and missing credentials surfaced

GTCX Evidence Runner Boundary

Baseline Vault can support GTCX credentialed intelligence smoke runs as a trust-gated cache, but it is not the system of record for EAP customer keys.

| Plane | Direction | System of record | BaselineOS role | |---|---|---|---| | Protocol 19 | GTCX -> providers | Baseline Vault (~/.baseline/vault) | @baselineos/vault, MCP baseline_vault, trust-gated leases | | Protocol 23 / EAP | Customers -> GTCX | AWS Secrets Manager | Optional cache alias for CI/smoke evidence only |

Use the cache taxonomy external_evidence_cache for smoke-only aliases that resolve provider credentials for evidence runners. These aliases are for wrappers such as gtcx-agentic intelligence smoke scripts; they are not customer credential issuance records, EAP source-of-truth records, or production custody guarantees.

Operator pattern:

  1. Import smoke credentials into Baseline Vault with baseline vault store or through the approved gtcx-agentic wrapper.
  2. Trim local env files after import; keep only BASELINE_MASTER_KEY where the wrapper requires vault unlock.
  3. Run evidence wrappers that resolve the vault-backed env in memory and do not echo secrets.
  4. Rotate any staging key that was pasted into chat or logs, then re-import after EAP issue/sync.

Out of scope for this package:

  • EAP issuance HTTP API; that belongs in gtcx-core / @gtcx/eap.
  • AWS Secrets Manager as customer-key system of record; that belongs to Protocol 23.
  • Kubernetes route/auth fixes for staging evidence services.
  • Automatic rotation of GTCX provider keys after chat/log exposure.

CLI Import

Use the CLI when an operator needs to add or rotate a provider token locally:

baseline vault store CLOUDFLARE_API_TOKEN \
  --provider cloudflare \
  --type api-key \
  --min-trust-score 85

The default path prompts with no terminal echo. Non-interactive imports can use --from-env <VAR> or --stdin; neither path prints the secret value.

API

import { CredentialVault } from '@baselineos/vault';

const vault = new CredentialVault({
  persistPath: '.baseline/vault',
  masterKey: process.env.BASELINE_MASTER_KEY,
});
await vault.initialize();

// Store
vault.store('anthropic-key', process.env.ANTHROPIC_API_KEY, {
  type: 'api-key',
  scope: 'global',
});

// Retrieve (audited)
const key = vault.retrieve('anthropic-key', {
  agentId: 'planner-1',
  trustScore: 75,
});

// Issue opaque lease
const lease = vault.issueLease('anthropic-key', { agentId: 'planner-1' }, 60_000);

Package Boundary

This package owns:

  • Credential encryption and decryption (AES-256-GCM + PBKDF2)
  • Scoped access control
  • Lease lifecycle (issue, resolve, revoke)
  • Audit logging
  • Health metrics
  • Vault-managed attestation keys (Ed25519)

It does not own:

  • Key rotation scheduling (Enterprise layer)
  • Shamir secret sharing (Key Recovery in baselineos core — demonstration only, not production)
  • Field-level encryption (Field Encryption in baselineos core)

License

Apache-2.0