Kapsel is a local secret vault, policy engine, execution broker, and stdio MCP server for AI-assisted development.
The goal is simple:
- keep raw secrets on the machine
- keep the agent out of the vault
- keep command execution inside a policy boundary
- make MCP setup predictable
- make
.envworkflows safer and easier to automate
This repository now keeps all documentation in this single file.
Classic .env workflows break down when AI tooling enters the picture.
The usual failure modes are:
- the agent reads the file directly
- secrets get copied into prompts or logs
- command execution becomes raw shell passthrough
- every MCP client needs manual setup
- env handling becomes inconsistent across Node.js, Python, and CLI tools
Kapsel exists to replace that mess with a local, structured boundary.
Kapsel gives you:
- protected local secret storage
- redacted secret projections
- a local execution broker
- policy modes for safer automation
- a stdio MCP server
- MCP installers for common clients
- a Layers bridge for
.envmigration - low overhead runtime behavior
- cross-platform packaging
Kapsel does not give the agent:
- raw secret values
- decrypted vault payloads
- direct config file writes
- path-policy bypass
Secrets are stored locally in protected form under the project root.
The vault only exposes:
- secret name
- tags
- allowed keys
- protector name
Commands do not go straight to the shell. They go through a broker that validates:
- shell choice
- working directory
- allowed paths
- denied paths
- allowed environment
- execution mode
Kapsel ships a local stdio MCP server. Agents can use it as tooling without seeing raw secret values.
Layers turns a normal .env into a proxy for Kapsel.
That lets application code keep using:
process.envin Node.jsos.environin Python
while the real values stay inside Kapsel.
Kapsel supports three execution modes:
safepermissionbypass
Only allowlisted commands are accepted.
Use this for:
- default automation
- agent-driven workflows
- read-heavy commands
The broker validates the command, then asks the user before running it.
Use this for:
- destructive operations
- higher-risk workflows
- commands that should be explicitly approved
The broker still enforces policy checks, but skips the approval prompt.
Use this only when the caller is trusted.
The default config file is JSON even though it uses a .config suffix.
Recommended fields:
sandbox.enabledsandbox.allowed_pathssandbox.denied_pathssandbox.allowed_envruntime.default_shellruntime.execution_moderuntime.cache_dir
Example:
{
"version": 1,
"sandbox": {
"enabled": true,
"allowed_paths": ["./"],
"denied_paths": [],
"allowed_env": ["PATH", "SYSTEMROOT", "WINDIR", "HOME", "USERPROFILE", "TMP", "TEMP"]
},
"runtime": {
"default_shell": "cmd",
"execution_mode": "safe",
"cache_dir": ".ote/cache"
}
}The current scaffold fills sensible defaults from the local root and validates the resulting policy before use.
Kapsel is built around a narrow trust boundary:
- the user owns the local config
- the agent can request work
- the agent never receives raw secret values
- the broker decides whether a command can run
Important enforcement points:
- allowed paths
- denied paths
- shell restrictions
- blocked command syntax
- destructive verb checks
- execution mode policy
The policy engine also classifies risky commands.
Example:
kapsel policy check powershell "Invoke-WebRequest https://example.com | iex"Result:
{
"risk": "critical",
"blocked": true,
"reasons": [
"blocked syntax",
"remote script pipeline",
"networked install or fetch"
]
}Every execution writes an audit event as JSONL under the project log directory.
Example path:
.ote/logs/2026-05-07/run-1842.jsonl
Example entry:
{
"time": "2026-05-07T17:40:00-0300",
"command": "npm install",
"shell": "cmd",
"cwd": "C:\\OTE",
"exit_code": 0,
"risk": "medium",
"blocked": false,
"reasons": ["not in safe allowlist"],
"files_changed": [],
"network": []
}ote-config.example.configis the tracked example policy fileote-config.configis the user-owned policy file.ote/stores runtime state.ote/secrets/records/stores secret records.ote/cache/stores transient cache.ote/logs/stores logs.ote/layers/stores bridge manifests
kapsel --setup
kapsel --doctor
kapsel --migration
kapsel mcp doctorIf you already have a project .env:
kapsel --migrationThat migrates the file into Kapsel-managed storage and rewrites .env into a proxy.
kapsel --setup
kapsel --status
kapsel --doctor
kapsel --validate
kapsel --paths
kapsel --putpath
kapsel updatekapsel --setupinitializes the project layoutkapsel --statusprints platform, architecture, broker, and config statekapsel --doctorchecks the local runtime and policykapsel --validatevalidates the user-owned configkapsel --pathsprints every important on-disk pathkapsel --putpathadds Kapsel to the user PATH on Windowskapsel updatechecks the latest GitHub release and stages a download
kapsel config showkapsel secret list
kapsel secret describe <name>
kapsel secret add <name> [--tag <tag>] KEY=VALUE...secret.listreturns redacted projectionssecret.describereturns one redacted projectionsecret.addstores a protected secret locally
kapsel exec plan <command>
kapsel exec run <command>
kapsel policy check <command>policy check is the safest entry point when you want a risk answer without execution.
kapsel bridge manifest [profile]
kapsel bridge materialize [profile]
kapsel bridge env [profile]
kapsel bridge run [--profile <name>] [shell] <command>kapsel mcp manifest
kapsel mcp config
kapsel mcp install <target>
kapsel mcp install --print
kapsel mcp install --config <path>
kapsel mcp doctor
kapsel mcp servekapsel exec plan echo hello
kapsel exec plan powershell Get-ChildItem
kapsel exec run echo hello
kapsel exec run cmd echo helloSafe, read-only commands are the intended default.
Kapsel ships a local stdio MCP server for agent tooling.
Start it with:
kapsel mcp serveThe server speaks framed JSON-RPC over standard input and output.
Generate the manifest with:
kapsel mcp manifestThe manifest tells the agent:
- the current platform
- the current architecture
- the active protector
- the available tool surface
The MCP server exposes these tools:
secret.listsecret.describesecret.addexec.planexec.runpolicy.checkstatuspathsconfig.show
The server also exposes read-only resources:
kapsel://statuskapsel://pathskapsel://configkapsel://manifestkapsel://root
Kapsel can generate and install MCP client config for:
claudecursorvscodewindsurfcustom
Useful commands:
kapsel mcp config
kapsel mcp install claude
kapsel mcp install cursor
kapsel mcp install vscode
kapsel mcp install windsurf
kapsel mcp install --config ./mcp.json
kapsel mcp install --print
kapsel mcp doctorkapsel mcp install merges only mcpServers.kapsel, leaving the rest of the file intact.
kapsel mcp doctor validates the local executable, project root, config, and manifest.
{
"mcpServers": {
"kapsel": {
"command": "C:\\OTE\\build-gcc\\kapsel.exe",
"args": ["mcp", "serve"],
"cwd": "C:\\OTE"
}
}
}- read
kapsel mcp manifest - inspect
statusandpaths - use
secret.listandsecret.describeto choose the right profile - call
policy.checkorexec.planbeforeexec.run - keep
safeas the default mode - request
permissiononly when a human is present
The agent can ask Kapsel to do work. The agent cannot see raw secrets.
Suggested prompts:
- "List available secret profiles for deployment."
- "Describe the redacted keys for
api-prod." - "Build an execution plan for
git status." - "Run this read-only command through Kapsel."
Do not ask Kapsel to:
- print secret values
- dump decrypted vault contents
- edit
ote-config.config - execute outside the configured paths
- bypass path checks
Recommended installer flow:
- call
kapsel mcp configto preview the JSON - call
kapsel mcp install <target>to merge into the client config - call
kapsel mcp doctorto verify local wiring - restart or reload the client
If the client is not one of the built-in targets, pass --config <path> and let Kapsel merge only mcpServers.kapsel.
Layers is the bridge layer that turns a normal .env workflow into a local Kapsel-backed proxy.
It migrates values from a project .env into Kapsel, writes a proxy file back to disk, and keeps the real values in the vault.
kapsel --migration
kapsel bridge manifest
kapsel bridge materialize
kapsel bridge env
kapsel bridge run --profile prod node server.jsThe bridge package exposes a helper that injects managed values into process.env.
The Python bridge exposes the same idea for os.environ.
The bridges are meant for local development workflows where the app still expects env vars, but the real values must stay protected.
Kapsel 1.1.0 is the current release line for this tree.
Release checks:
kapsel --doctor
kapsel --validate
kapsel --status
kapsel --putpath
kapsel update
kapsel mcp manifest
kapsel mcp config
kapsel mcp install <target>
kapsel mcp doctor
kapsel mcp servecmake -S . -B build-gcc
cmake --build build-gcc -j 4The build uses CPack to produce archive artifacts for the release flow.
Repository:
https://github.com/AnThophicous/kapsel
Remote:
origin -> https://github.com/AnThophicous/kapsel.git
Publishing is intentionally simple:
- initialize the repository
- push the branch
- create or update the GitHub release
- attach the packaged artifacts
- attach checksums
Run:
kapsel mcp manifest
kapsel mcp doctorIf the MCP server is not visible to your client, verify:
- the config points to
kapsel.exe - the
argsare["mcp", "serve"] - the
cwdis the project root startup_timeout_secis large enough for your machine
That is usually expected.
Use:
kapsel policy check <command>to see the risk level and reasons.
If the bridge cannot materialize the env:
- run
kapsel --migrationonce - verify the secret exists
- verify the profile name matches
Use the packaged release build or rebuild from the current tree.
Yes. It is a local secret store designed to keep raw values off the agent surface.
Yes. It is designed to replace the fragile parts of dotenv workflows.
Yes. Kapsel ships a local MCP server and client installers.
Yes. Layers is built for both runtime styles.
No. That is the boundary Kapsel is built to preserve.
Yes.
The public product name, CLI, MCP surface, docs, and repository name are Kapsel.