Features — Zero-Knowledge Proxy, MCP Tools, Vault Storage, Dynamic Secrets

Core Architecture

Zero-Knowledge Proxy

The most fundamental guarantee Straylight-AI provides: credentials are never in the AI agent's context window. Not when stored. Not when retrieved. Not when used.

When Claude Code calls the api_call MCP tool, it provides a service name and request parameters — but no credential. Straylight retrieves the credential from the vault, injects it as an HTTP header at the transport layer, and returns only the response data. The credential is never in a string that the MCP handler sees.

This is distinct from "secrets management" where you still pass a credential to the calling process. In Straylight's model, the calling process (the AI agent) is the untrusted party.

Credential injection happens below the MCP abstraction layer
Go's http.RoundTripper interface used for transport-layer injection
Credential value is never in a logged variable or stack frame visible to MCP
Works with any HTTP-based API, REST or GraphQL

Storage

Encrypted Vault Storage

Straylight uses OpenBao, the community fork of HashiCorp Vault, as its encrypted credential store. OpenBao uses AES-256-GCM encryption for all secrets at rest. The encryption key is never stored adjacent to the data.

On first run, Straylight automatically initializes the vault, generates unseal keys, and configures auto-unseal so the vault recovers seamlessly if the container restarts. No manual vault administration needed.

The MCP server authenticates to the vault using AppRole authentication — a two-factor mechanism where the RoleID and SecretID are separated. Neither alone can authenticate. Tokens are short-lived and automatically renewed.

OpenBao (open-source Vault fork, Apache 2.0 licensed)
AES-256-GCM encryption at rest, TLS in transit
Auto-init and auto-unseal on container start
AppRole auth with separated RoleID and SecretID
Credentials persist across container restarts
No plain-text secrets on disk at any point

MCP Integration

Seven MCP Tools

Straylight exposes seven tools via the Model Context Protocol, compatible with Claude Code, Cursor, Windsurf, and any MCP-compatible client. The tools are registered automatically when you run npx straylight-ai.

straylight_api_call Primary

Make an authenticated HTTP request to a configured service. Parameters: service (service name), method, path, body (optional), headers (optional). Credentials injected automatically.

straylight_api_call({
  "service": "github",
  "method": "GET",
  "path": "/user/repos"
})

straylight_exec

Execute a command with service credentials injected as environment variables in an isolated subprocess. The AI coding assistant sees the output but never the env vars. Useful for CLI tools like aws, gcloud, stripe. In v0.2.0, cloud provider commands receive ephemeral STS/GCP/Azure credentials.

straylight_check

Verify connectivity and authentication status for a configured service. Returns account info (username, plan, stats) if available. Does not expose the credential itself — only confirms it works.

straylight_services

List all configured services and their current status (connected, error, unconfigured). The AI coding assistant can see what services are available without knowing any credentials. Used for capability discovery.

straylight_db_query New in v0.2.0

Query a configured database. Straylight provisions a temporary scoped user, executes the query, and returns results. The database password is never in the AI's context at any point.

straylight_scan New in v0.2.0

Scan the current project directory for exposed secrets. Returns findings by file, line, and pattern category. Generates recommended ignore file entries for Claude Code, Cursor, Windsurf, and Roo.

straylight_read_file New in v0.2.0

Read a file with secrets automatically redacted. Blocked file types return a vault-redirect message. Config files are returned with structure intact and secret values masked as [STRAYLIGHT:service-name].

Output Sanitization — Before & After

// Raw API response (BEFORE sanitization)

{

"error": "Invalid token:",

"token": "ghp_xK2mN9pQ3rT5vW8yZ1aB4cD7eF0g",

"message": "Token expired"

}

// After output sanitization (SAFE for agent)

{

"error": "Invalid token:",

"token": "[REDACTED]",

"message": "Token expired"

}

// Two-layer detection:

// 1. Regex: /ghp_[a-zA-Z0-9]{36}/

// 2. Value match: stored credential value

Defense Layer 4

Two-Layer Output Sanitization

Even with transport-layer injection, some APIs echo back credentials in error messages, log entries, or diagnostic responses. Straylight's output sanitizer catches this before the data reaches the AI agent.

The sanitizer runs two independent detection passes on every API response:

Pass 1 — Regex patterns: Common credential formats are matched by regular expression. GitHub PATs (ghp_), Stripe keys (sk_live_, sk_test_), OpenAI keys (sk-), AWS access keys (AKIA), Bearer tokens, and generic API key patterns are all covered.

Pass 2 — Live value matching: The actual stored credential values are compared against the response body. This catches obfuscated or encoded credentials that regex might miss.

Matched values are replaced with [REDACTED] in the output returned to the agent. The replacement is logged (without the credential value) so you can audit when sanitization fires.

Templates

16 Service Templates

Pre-configured templates handle all authentication details. Pick a service, enter your credential, done. The wizard knows the right endpoint, auth header format, and account info fields for each service.

Source Control & Dev Tools

GitHub Personal Access Token (PAT) — reads username, avatar, public/private repos, stars

Linear API Key — issues, teams, projects

Jira Basic auth with email + API token — issues, boards, projects

AI & ML APIs

OpenAI API Key — models, completions, embeddings

Anthropic API Key — Claude models, messages API

Cloud Providers

AWS Access Key ID + Secret Access Key + Region — SigV4 signing

GCP Service Account JSON or OAuth2 token

Azure Service Principal or Managed Identity

Payment & Communications

Stripe Secret key or Restricted key — customers, charges, subscriptions

Slack Bot token (xoxb-) or App token (xapp-)

Databases

PostgreSQL Connection string injection for psql CLI and query tools

MySQL Connection string with host, port, user, password, database

MongoDB Connection URI with credentials

Redis URL with password for redis-cli and client libraries

Infrastructure

SSH Private key injection via temporary ssh-agent socket

Generic REST API Custom base URL, auth method (Bearer, Basic, API key header/query), any endpoint

Defense Layer 5

Claude Code Hooks

Claude Code supports lifecycle hooks that run before and after tool calls. Straylight ships a hook configuration file that provides two layers of defense directly inside the Claude Code process.

PreToolUse hooks intercept tool calls before they execute and can block them. Straylight blocks commands that commonly expose credentials:

cat .env, cat .env.local, cat .envrc
echo $STRIPE_SECRET_KEY and similar env var echoes
env, printenv, set (dumps all environment)
cat ~/.bash_history, cat ~/.zsh_history
cat ~/.aws/credentials, cat ~/.ssh/id_rsa

PostToolUse hooks run after a tool call completes and receive the output. Straylight's PostToolUse hook applies the same two-layer output sanitization (regex + value matching) to the tool output before it's returned to Claude Code.

hook-config.json (excerpt)

{

"hooks": {

"PreToolUse": [

{

"matcher": "Bash",

"hooks": [{

"type": "command",

"command": "npx straylight-ai hook"

}]

}

],

"PostToolUse": [...]

}

# Installed automatically by npx straylight-ai

# at ~/.claude/settings.json

Dynamic Secrets

Dynamic Database Credentials

Connect your PostgreSQL, MySQL, or Redis database. Straylight creates temporary users with limited permissions and auto-revokes them. Your AI coding assistant queries the database without ever seeing a password.

When your AI coding assistant calls the straylight_db_query MCP tool, Straylight provisions a temporary database user via the OpenBao database secrets engine, executes the query through an internal connection pool, and revokes the user when the lease expires. No static database password is ever needed in a config file.

Temporary users created on demand with scoped permissions (read-only by default)
Leases expire in 5–15 minutes and are auto-revoked via OpenBao
Lease-aware credential cache replaces fixed-TTL caching for dynamic secrets
Supports PostgreSQL, MySQL, MariaDB, and Redis (OpenBao built-in plugins)
Database admin credentials stored in vault, never exposed to the AI

Dynamic Secrets

Cloud Provider Temporary Credentials

Configure AWS, GCP, or Azure once. Straylight generates scoped, time-limited credentials for every command. No long-lived access keys in your AI's context.

When your AI coding assistant runs a cloud CLI command through straylight_exec, Straylight calls AWS STS AssumeRole, GCP token service, or Azure identity to generate ephemeral credentials. These are injected as environment variables into the subprocess. The AI sees only the command output, never the keys.

AWS: STS AssumeRole generates temporary AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN
GCP: short-lived access tokens from the token service, no service account JSON files needed
Azure: app registration tokens via the Azure identity SDK
Parent credentials (IAM key, service account) stored encrypted in vault only
Scope templates available: read-only, deploy, specific service permissions

Prevention

Project Secret Scanner

Scan your project for exposed secrets before your AI reads them. Detects API keys, tokens, private keys, and connection strings across 14 pattern categories.

Call the straylight_scan MCP tool to walk your project directory and report files containing secrets. Each finding includes the file path, line number, secret type, and severity. The scanner recommends which files to add to your .claudeignore, .cursorignore, or .rooignore to keep those files out of the AI context window.

14 pattern categories: AWS keys, GitHub PATs, Stripe keys, OpenAI keys, private keys, connection strings, and more
Reuses the same regex engine as the output sanitizer — proven detection patterns
Reports findings with redacted snippets so you can confirm without seeing the full secret
Generates ready-to-paste ignore rules for Claude Code, Cursor, Windsurf, and Roo
Findings logged to the audit trail

straylight_scan output

Scanning /home/user/myproject ...

CRITICAL .env:3

Type: AWS Access Key (AKIA...)

Preview: AKIA[REDACTED]

HIGH docker-compose.yml:18

Type: Connection string (postgres://)

Preview: postgres://admin:[REDACTED]@...

HIGH config/settings.py:42

Type: Generic API key pattern

Preview: SECRET_KEY = "[REDACTED]"

Recommended .claudeignore additions:

.env

docker-compose.yml

config/settings.py

straylight_read_file — docker-compose.yml

// Raw file content (BLOCKED from AI)

services:

db:

environment:

POSTGRES_PASSWORD: hunter2

DATABASE_URL: postgres://admin:hunter2@db/app

// straylight_read_file returns (SAFE for AI)

services:

db:

environment:

POSTGRES_PASSWORD: [STRAYLIGHT:db]

DATABASE_URL: [STRAYLIGHT:db]

# .env files: blocked entirely

# config files: structure preserved, secrets masked

Defense Layer 6

Sensitive File Firewall

Read files with secrets automatically redacted. Blocked files return guidance to use the vault instead. Config files preserve structure with secrets masked.

The straylight_read_file MCP tool is the secure alternative to reading files directly. It intercepts the file content, applies block and redact rules, and returns a clean version to the AI coding assistant. Files like .env are blocked entirely. Files like docker-compose.yml and settings.py are served with secrets replaced by [STRAYLIGHT:service-name] placeholders.

Block patterns: .env, .env.*, *credentials*, *secret*, SSH private keys
Redact patterns: config files with recognized secret variable names
Config files preserve YAML/TOML/INI structure so the AI can reason about them
Blocked files return a vault-redirect message guiding the AI to use straylight_api_call instead
Works across all AI coding assistants, not only Claude Code hooks

Observability

Credential Audit Trail

Every credential access is logged. See which services were used, when, and by which tool. JSON Lines format for easy integration.

The audit logger records every straylight_api_call, straylight_exec, straylight_db_query, and straylight_read_file invocation with a timestamp, service name, tool name, and request summary — with credentials redacted. Logs are written to an append-only JSON Lines file in /data/audit/ and are viewable from the dashboard.

Append-only JSON Lines format at /data/audit/access.jsonl
File rotation at 100 MB, configurable retention
In-memory ring buffer for fast dashboard queries without scanning the log file
Dashboard audit page: filter by service, tool, and time range
When a leak or breach occurs, you can trace exactly which session triggered which credential access

/data/audit/access.jsonl

{"ts":"2026-03-26T14:22:01Z","tool":"straylight_api_call",

"service":"github","method":"GET","path":"/user/repos",

"credential_used":true,"secret_in_response":false}

{"ts":"2026-03-26T14:22:14Z","tool":"straylight_exec",

"service":"aws","command":"aws s3 ls s3://my-bucket",

"credential_used":true,"temp_cred_ttl_s":900}

{"ts":"2026-03-26T14:23:05Z","tool":"straylight_db_query",

"service":"postgres-prod","lease_id":"db/creds/readonly/abc123",

"lease_ttl_s":600,"rows_returned":12}

{"ts":"2026-03-26T14:24:10Z","tool":"straylight_read_file",

"path":"docker-compose.yml","action":"redacted",

"patterns_matched":2}

Built for the AI agent threat model