Automic Vault icon Automic Vault

Security model

Agent security belongs at the local runtime boundary

Automic Vault protects macOS developer machines by moving secrets out of plaintext files, injecting approved credentials into trusted tools, and gating sensitive commands before they execute.

Last updated: June 3, 2026

Automic Vault is a local macOS security layer for AI coding agents. Its security model assumes the agent may read project files and invoke local tools, so secrets are moved out of plaintext files, approved credentials are injected only into trusted executables, and sensitive commands can require human approval before they run.

Automic Vault console

Threat model. The risk is an agent with filesystem and tool access.

Automic Vault assumes a local AI coding agent can read project files, inspect shell configuration, run command-line tools, and accidentally expose credentials through logs or transcripts. The product reduces that ambient authority.

Secrets

No plaintext handoff

Sensitive values should not live in `.env`, shell profiles, or CLI config files an agent can read directly.

Injection

Tool-scoped access

Approved tools receive named secrets for the execution that needs them; the model does not receive a raw value to paste or summarize.

Approvals

Visible authority changes

Package publishing, cloud mutation, and token-revealing commands should be approved at the command boundary.

Roots

Controlled installation

Release builds install under `/opt` and stub into `/usr/local/bin`; debug builds use `/tmp/opt` and `/tmp/usr/local/bin`.

Disclosure. Report security issues through GitHub.

Automic Vault is open-source software. Use the public repository for source review, issue reporting, and release tracking. Do not include live secrets, cloud account identifiers, private keys, or unreleased exploit details in public issues. If a report requires sensitive material, open a minimal public issue asking for a private reporting channel.

Release trust. Use public releases and source as the verification path.

The public GitHub repository holds the code, tags, releases, issues, and license terms. Download links on this site point to the published macOS release artifact, and the app version is derived from the repository's Cargo metadata during deployment.

Trust signalWhere to check it
Source codegithub.com/automic-vault/automic-vault
VersionThe deployed site stamps product schema and LLM metadata from Cargo.toml.
ReleasesUse GitHub releases and tags to inspect published builds and source history.
LicenseApache License 2.0, governed by the repository license text.

Local data boundary. Secrets are product data on the local Mac.

Automic Vault is not a hosted SaaS vault. The website is static, while the product focuses on local storage, local command execution, and local approval decisions on macOS.

Keychain

Local storage

Secrets are intended to move out of readable project files and into local keychain-backed storage.

Tools

Scoped injection

Approved command-line tools receive named credentials for the execution that needs them.

Agents

No raw prompt handoff

The model should not receive raw token values to quote, summarize, or paste elsewhere.

Approvals

Runtime decision

Commands that mutate cloud, source, packages, or credentials can be reviewed before execution.

Supported surface. Security review should focus on the current public release.

Automic Vault is young open-source software, so the safest security reference is the current public release and source tree. Reports should identify the version, macOS version, command being run, package or tool involved, and whether the behavior requires a local agent, local shell access, or an already-approved credential.

Version

Name the release

Include the app or CLI version from av --version, the download page, or the relevant Git tag.

Repro

Describe the local path

Show whether the issue involves file reads, keychain-backed storage, package roots, command approval, or shell installer tracing.

Scope

Separate model and tool risk

State whether the model can read a value directly, whether a tool can receive it, or whether a command can reveal it.

Secrets

Redact credentials

Use fake tokens and sanitized paths in public reports; avoid posting live keys, account IDs, or private repository details.