aquaman-proxy
v0.13.1
Published
π± API key protection for AI agents. Bring your own vault. Credentials stay where you already keep them, never in the agent's memory.
Maintainers
Readme
aquaman-proxy
The vault + daemon + audit core of aquaman. API key protection for AI agents. Bring your own vault. Credentials stay where you already keep them, never in the agent's memory.
This is the always-on piece: every other aquaman package (aquaman-plugin for OpenClaw, aquaman-coder for AI coding agents) talks to it. If you only install one aquaman package, install this one.
Agent / OpenClaw / Coding Agent Aquaman Proxy
ββββββββββββββββββββββββ ββββββββββββββββββββββββ
β β β β
β ANTHROPIC_BASE_URL βββββ UDS / HTTP ββββ>β Keychain / 1Pass / β
β = aquaman.local β β Vault / Encrypted β
β β<ββββββββββββββββββ β β
β fetch() interceptor ββββ broker:resolve β>β + Policy enforced β
β redirects channel β β + Auth injected: β
β API traffic β β header / url-path β
β β ~/.aquaman/ β basic / oauth β
β No credentials. β proxy.sock β β
β No open ports. β (chmod 0o600) β β
β Nothing to steal. β β β
ββββββββββββββββββββββββ ββββ¬βββββββββββ¬βββββββββ
β β
β βΌ
β ~/.aquaman/audit/
β (hash-chained log)
βΌ
api.anthropic.com
api.mistral.ai
api.telegram.org
slack.com/api β¦Install
npm install -g aquaman-proxy
aquaman setup # backend wizard + store keys
aquaman daemon & # start the proxy on ~/.aquaman/proxy.sockCLI
aquaman help, aquaman doctor are your friends.
25 Builtin Services
| Category | Services | |----------|----------| | Providers | Anthropic, OpenAI, GitHub, xAI, Cloudflare AI Gateway, Mistral, Hugging Face, ElevenLabs | | Channels (header) | Slack, Discord, Matrix, Mattermost, LINE, Twitch, Telnyx, Zalo | | Channels (URL-path) | Telegram | | Channels (basic) | Twilio, BlueBubbles, Nextcloud Talk | | Channels (OAuth) | MS Teams, Feishu, Google Chat | | At-rest only | Nostr, Tlon |
Security
Four layers of protection:
- Process isolation: credentials in a separate address space, connected via UDS (
chmod 0o600) - Service allowlisting:
proxiedServicescontrols which APIs the agent can reach - Request policies: method + path rules per service, checked before credential injection (details in the root README)
- Audit trail: SHA-256 hash-chained logs of every credential use
Bring your own vault. Aquaman has no house vault. It injects credentials from the secret store you already run: Keychain, 1Password, HashiCorp Vault, Bitwarden, KeePassXC, systemd-creds, or encrypted-file. No new store to adopt, no migration.
Broker endpoint (v0.12.0+)
POST /broker/resolve over the UDS - used by aquaman-coder to materialize credentials per tool call. Body:
{"service":"anthropic","key":"api_key","ttl_seconds":60}Response: {"value":"...","expires_at":"2026-05-20T12:34:56Z"}. Validates service/key names against safe regexes; 4 KB body cap; policy is applied before resolution.
Documentation
- Root README: value prop, three-path Quick Start, security model
docs/PACKAGES.md: package boundary policydocs/compliance/: MITRE ATLAS + NIST SP 800-53 mappingsCLAUDE.md: architecture notes
License
MIT
