hermes/agent-secret-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ea1bb0979f682335e265a6d561830ad649951089
agent-secret-vault/README.md

44 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Agent Secret Vault
本 repo 專門管理本地 AI agent / worker 需要的機密資料。
## 核心設計
- 使用 `ansible-vault` 加密 `secrets/vault.yml`
- 加密後的 `secrets/vault.yml` 可以進 git
- vault password file 放在本機:`~/.config/vault-pass.txt`
- 新機器可透過 repo 內的密碼保護壓縮檔 `secrets/vault-pass.txt.zip` 安裝 password file
- 多個 agent 透過統一腳本讀取 secrets不各自發明 credential 管理方式
## 主要文件
- 人類使用指南:[`docs/human-guide.md`](docs/human-guide.md)
- Agent 安裝 Runbook[`docs/agent-install-runbook.md`](docs/agent-install-runbook.md)
- Agent 整合補充:[`docs/agent-integration.md`](docs/agent-integration.md)
- Vault 基礎說明:[`docs/secret-vault.md`](docs/secret-vault.md)
## 常用指令
```bash
# 安裝 vault password file會要求輸入壓縮檔密碼
./scripts/install-vault-pass.sh
# 維護者建立密碼保護壓縮檔
./scripts/create-vault-pass-archive.sh
# 檢視 vault
./scripts/vault.sh view
# 編輯 vault
./scripts/vault.sh edit
# 讀單一 secret
./scripts/get-secret.sh openclaw_alice.http_nodes.gitea.password
```
## 安全原則
- 不要把 `~/.config/vault-pass.txt` commit 到 git
- 不要把解密後完整 YAML 貼到 chat/log
- Agent 回報時只回報 key path、commit hash、驗證方式不回報 secret value
Reference in New Issue View Git Blame Copy Permalink