Zero-Knowledge Proxy
Credentials are injected at the HTTP transport layer. The AI agent's context window never contains a credential string, even temporarily.
Open Source · MIT License · v0.1.0
AI Agent Credential Proxy.
Zero Knowledge. Zero Leaks.
Straylight-AI is a self-hosted Docker container that keeps your API keys completely out of AI agent context windows. Claude Code and Cursor make real API calls — your credentials never appear in prompts, logs, or responses.
$
Requires Docker. Starts in under 30 seconds.
npx straylight-ai
The Problem
AI agents are leaking your credentials
Every time an AI coding assistant reads your .env file, accesses shell history,
or processes log output, your API keys enter its context window. From there, they can be
echoed in responses, logged to disk, or exfiltrated through prompt injection attacks.
CVE-2025-59536
Prompt injection via crafted API responses causes AI coding assistants to echo stored credentials in subsequent tool outputs, bypassing context isolation.
CVSS 8.1 HighCVE-2026-21852
AI agent log capture during automated test runs exposes environment variable values including cloud provider credentials, database passwords, and payment API keys.
CVSS 9.3 Critical.env File Exposure
AI agents routinely read .env files when asked to debug configuration issues, run tests, or understand project setup. This is standard behavior — and a massive security gap.
Shell History Leakage
Commands like curl -H "Authorization: Bearer sk-..." sit in shell history files. When an AI agent reads history for context, those tokens become part of its working memory.
Straylight-AI solves this at the transport layer. Credentials never enter the agent's context window — not even for a millisecond.
How It Works
Credential injection at the transport layer
Straylight-AI sits between your AI agent and the external world. The agent asks for API calls using service names — never credential strings. Straylight fetches the credential from the encrypted vault and injects it directly into the HTTP request.
Agent Requests
Claude Code calls the MCP api_call tool with service name and parameters. No credential string is passed.
api_call("github", "GET /user")
Straylight Injects
Straylight retrieves the GitHub PAT from OpenBao vault and injects it as an HTTP Authorization header. The credential stays internal.
Authorization: Bearer ghp_••••••••
Agent Receives Data
The agent receives the API response data. The credential is sanitized from output before it reaches the context window. Zero exposure.
{"login": "alice", "id": 12345...}
Output sanitization runs two-layer detection (regex + value matching) to catch any credential that might leak through API responses.
Features
Everything you need to secure AI agent credentials
Built specifically for developers using AI coding assistants, not adapted from enterprise secrets managers. Every feature addresses a real credential leak vector.
Encrypted Vault Storage
OpenBao (open-source Vault fork) provides enterprise-grade encrypted storage. Auto-init, auto-unseal, AppRole authentication — fully automated.
MCP Integration
Four MCP tools (api_call, exec, check, services) expose capabilities to Claude Code, Cursor, and any MCP-compatible client.
Output Sanitization
Two-layer detection combining regex pattern matching and live value matching strips any credential from API responses before reaching the agent.
16 Service Templates
Pre-configured templates for GitHub, Stripe, OpenAI, Anthropic, AWS, GCP, Azure, PostgreSQL, MySQL, MongoDB, Redis, SSH, and more.
Claude Code Hooks
PreToolUse hooks block credential-leaking commands. PostToolUse hooks sanitize output. Double defense against accidental exposure.
Supported Services
Works with 16 services out of the box
Pre-built templates handle authentication for every major cloud provider, API platform, and database. Add custom services with any auth method in under a minute.
GitHub
Stripe
OpenAI
Anthropic
AWS
GCP
Azure
PostgreSQL
MySQL
MongoDB
Redis
Slack
Linear
Jira
SSH
Custom REST APIs
Installation
One command. Zero configuration.
npx straylight-ai pulls the Docker image, initializes the vault,
starts the MCP server, and registers it with Claude Code. Everything automated.
Terminal
$
npx straylight-ai
Checking Docker...
Pulling aj-geddes/straylight-ai:0.1.0
0.1.0: Pulling from aj-geddes/straylight-ai
Digest: sha256:a3f2e1...
Status: Downloaded newer image
Starting container straylight-ai...
Waiting for OpenBao vault to initialize...
Vault initialized (auto-unseal enabled)
Configuring AppRole authentication...
AppRole configured
Starting MCP server...
MCP server listening
Registering with Claude Code...
Claude Code MCP registered: straylight-ai
Straylight-AI is running!
Dashboard: http://localhost:9470
MCP endpoint: stdio via npx straylight-ai mcp
1
Install and start
Run npx straylight-ai. Requires Docker to be running. That is the only prerequisite.
2
Add your services
Open http://localhost:9470 and use the wizard to add a GitHub PAT, Stripe key, or any other service credential.
3
Ask your AI agent
Tell Claude Code to check your GitHub notifications or create a Stripe payment link. It works — without ever seeing your key.
Security
Defense in depth for AI agent credentials
Every layer of Straylight-AI is designed with the assumption that the AI agent is potentially compromised. Multiple independent controls prevent credential exfiltration.
Layer 1
Vault Encryption at Rest
All credentials stored in OpenBao are encrypted with AES-256-GCM before being written to disk. The encryption key is never stored alongside the data. Auto-unseal uses a separate derived key.
Layer 2
AppRole Authentication
Straylight's MCP server uses AppRole auth to retrieve secrets from the vault. The RoleID and SecretID are separated — neither alone can authenticate. Tokens are short-lived and auto-renewed.
Layer 3
Transport-Layer Injection
Credentials are added to HTTP requests at the network transport layer, after the MCP tool call completes its parameter parsing. The credential value is never in a Go string that the MCP layer handles.
Layer 4
Output Sanitization
Two-phase scanning: first regex patterns detect common credential formats (Bearer tokens, API key prefixes, connection strings). Then live value matching checks for the actual stored credential values.
Layer 5
Claude Code Hooks
PreToolUse hooks intercept and block tool calls that would expose credentials: reading .env files, printing environment variables, accessing shell history. PostToolUse hooks sanitize any output that slips through.
Comparison
How Straylight-AI compares
Existing solutions were built for human operators, not AI agents. Straylight-AI is purpose-built for the agent threat model.
| Feature | Straylight-AI Our pick | AgentSecrets | Akeyless | 1Password Agentic | .env Files |
|---|---|---|---|---|---|
| Zero-knowledge proxy | ✓ | ✗ | ✗ | ✗ | ✗ |
| Self-hosted | ✓ | ✗ | ✓ | ✗ | ✓ |
| MCP integration | ✓ | ⟳ | ✗ | ✗ | ✗ |
| Vault backend | ✓ | ✗ | ✓ | ✓ | ✗ |
| Output sanitization | ✓ | ✗ | ✗ | ✗ | ✗ |
| Claude Code hooks | ✓ | ✗ | ✗ | ✗ | ✗ |
| One-command install | ✓ | ✓ | ✗ | ✗ | ✓ |
| Open source | ✓ MIT | ✗ | ✗ | ✗ | ✓ |
| Free to use | ✓ Always | ⟳ Freemium | ⟳ Freemium | ✗ Paid | ✓ |
| Service templates | 16 built-in | 8 built-in | Custom only | Custom only | None |
⟳ = Partial support. Comparison based on publicly available documentation as of Q1 2026.
Get started in 2 minutes
One command installs and configures everything. Your AI agent will be making secure API calls before your next coffee.