aivault
Complete guide for using aivault as a zero-trust local vault and proxy for API secrets. Use this skill when initializing or configuring aivault, managing secrets and credentials, invoking capability-backed API calls, setting workspace/group isolation, installing provider plugins such as Postgres, adding custom providers, or troubleshooting daemon and policy issues.
Best use case
aivault is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Complete guide for using aivault as a zero-trust local vault and proxy for API secrets. Use this skill when initializing or configuring aivault, managing secrets and credentials, invoking capability-backed API calls, setting workspace/group isolation, installing provider plugins such as Postgres, adding custom providers, or troubleshooting daemon and policy issues.
Teams using aivault should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/aivault/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How aivault Compares
| Feature / Agent | aivault | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Complete guide for using aivault as a zero-trust local vault and proxy for API secrets. Use this skill when initializing or configuring aivault, managing secrets and credentials, invoking capability-backed API calls, setting workspace/group isolation, installing provider plugins such as Postgres, adding custom providers, or troubleshooting daemon and policy issues.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
<!-- Generated by scripts/sync-skills.js. Edit docs/ sources, then run pnpm skills:sync. -->
# aivault Runtime And Integration
This skill covers secure setup and day-to-day use of `aivault` for agent workflows. The detailed
reference files are generated from this repository's `docs/` sources; update docs first, then run
`pnpm skills:sync`.
## Quick Reference
| Resource | Path |
| ----------------------- | ------------------------------ |
| CLI binary | `aivault` |
| Daemon binary | `aivaultd` |
| Vault root (default) | `~/.aivault/data/vault/` |
| Daemon socket (default) | `~/.aivault/run/aivaultd.sock` |
| Repo docs source | `docs/` |
| Generated skill refs | `skills/aivault/references/` |
## Default Workflow
1. Check status and provider setup:
- `aivault status`
- `aivault provider list -v`
2. Store secrets in the vault, not in agent-readable env files:
- `aivault secrets create --name OPENAI_API_KEY --value "sk-..." --scope global`
3. Inspect available capabilities:
- `aivault capability list`
- `aivault capability describe openai/chat-completions`
4. Invoke through the policy boundary:
- `aivault invoke openai/chat-completions --body '{"model":"gpt-5.2","messages":[{"role":"user","content":"hello"}]}'`
5. Verify audit trail:
- `aivault audit`
## Detailed References
Load only what is needed:
- [references/getting-started.md](references/getting-started.md) - installation, first-run setup, and secure invocation flow.
- [references/cli-reference.md](references/cli-reference.md) - command groups and practical command patterns.
- [references/provider-plugins.md](references/provider-plugins.md) - optional provider binaries, including Postgres setup and invocation.
- [references/registry-custom-providers.md](references/registry-custom-providers.md) - built-in registry model, schema, and custom provider flow.
- [references/security-and-isolation.md](references/security-and-isolation.md) - zero-trust properties, scope resolution, encryption, audit, and threat boundaries.
- [references/operations.md](references/operations.md) - daemon behavior, environment flags, storage layout, and testing commands.
## Essential Patterns
### Registry-backed secret provisioning
Use canonical secret names such as `OPENAI_API_KEY` so aivault can pin to a provider and
auto-enable capabilities.
### Capability-first invocation
Call `aivault invoke <capability-id>`, `aivault json <capability-id>`, or
`aivault markdown <capability-id>` instead of direct upstream calls with raw keys.
### Scoped tenancy controls
Use `--scope workspace` and `--scope group` for tenant isolation, then pass
`--workspace-id` and `--group-id` on invoke.
### Provider plugin activation
If a capability starts with a plugin namespace such as `postgres/`, check
`aivault provider list -v`, then install and enable the official provider before configuring
credentials:
```bash
aivault provider install postgres --enable
```
### Custom provider fallback
Only create manual credentials and capabilities when a provider is not in the built-in registry or
available as an official provider plugin.
## Common Mistakes To Avoid
1. Storing API keys in `.env` for untrusted agent code.
2. Invoking raw URLs instead of declared capabilities.
3. Forgetting scope context when debugging credential resolution.
4. Assuming caller-provided auth headers are allowed; the broker owns auth headers.
5. Treating custom providers as equally tamper-resistant as compiled registry providers.
6. Importing database client libraries or reading `DATABASE_URL` in agent-owned code when
`postgres/*` capabilities are available.
## Maintenance
Run `pnpm skills:sync` after docs changes. Run `pnpm skills:check` in CI or before releases to
ensure `skills/aivault` still matches `docs/`.Related Skills
moldable
Complete guide for building Moldable apps. Use this skill when creating new apps with scaffoldApp, modifying existing apps, implementing workspace-aware storage, integrating with the Moldable desktop via postMessage APIs (moldable:show-in-folder, moldable:set-chat-input, moldable:set-chat-instructions, moldable:save-file), configuring workspaces, managing skills/MCPs, or troubleshooting app issues. Essential for any Moldable app development task.
swe-cli-skills
Senior engineer CLI expertise for AI agents — workflows, safety guardrails, gotchas, and anti-patterns across cloud, IaC, containers, databases, dev tools, and platforms
PicoClaw Fleet
Orchestrate a fleet of remote PicoClaw workers over SSH for fast, ephemeral one-shot tasks.
VibeCollab — Setup Instructions for AI Assistants
You are helping a user set up VibeCollab in their project.
raycast-extension-docs
Guidance for building, debugging, and publishing Raycast extensions using the Raycast documentation set. Use when Codex needs to create or modify Raycast extensions (React/TypeScript/Node), consult Raycast API reference or UI components, build AI extensions, handle manifest/lifecycle/preferences, troubleshoot issues, or prepare/publish extensions to the Raycast Store or Teams.
evomap
Connect to the EvoMap collaborative evolution marketplace. Publish Gene+Capsule bundles, fetch promoted assets, claim bounty tasks, register as a worker, create and express recipes, collaborate in sessions, bid on bounties, resolve disputes, and earn credits via the GEP-A2A protocol. Use when the user mentions EvoMap, evolution assets, A2A protocol, capsule publishing, agent marketplace, worker pool, recipe, organism, session collaboration, or service marketplace.
maestro
Intelligent skill knowledge gateway. Routes tasks to the right knowledge without loading all skills into context. MUST be consulted before any coding task — call the search_skills MCP tool to retrieve relevant expertise from 100+ indexed skills covering Swift, SwiftUI, concurrency, testing, architecture, performance, and security.
opentui
Comprehensive OpenTUI skill for building terminal user interfaces. Covers the core imperative API, React reconciler, and Solid reconciler. Use for any TUI development task including components, layout, keyboard handling, animations, and testing.
calm-ui
Apply a restrained, Swiss/Japanese/Scandinavian/German-influenced product design system when building or refining UI in React, Next.js, TypeScript, and shadcn/ui. Use when the user asks to build, refine, critique, redesign, or review a page, screen, component, form, table, dashboard, layout, or other frontend interface, especially in projects using shadcn/ui. Do not use for marketing sites, landing pages, non-UI work, or requests for bold, playful, maximalist, or otherwise expressive aesthetics.
solid
Apply SOLID principles to write flexible, maintainable, and testable code. Use when designing classes, interfaces, and module boundaries. Covers Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, and Dependency Inversion with practical TypeScript examples and detection heuristics.
netops-asset-manager
Manage IT infrastructure assets (routers, switches, servers, GPU clusters) through a Go + Vue 3 platform with real-time health probing, SSH remote control, configuration backup, bulk import, network topology visualization, and PM2 process management. Supports H3C, Huawei, Cisco, MikroTik, Ruijie, DCN, and Linux. Use when the user asks about IT asset management, network device operations, infrastructure monitoring, SSH device control, or development on this Go + Vue 3 platform.
Goal: Build an LLM-based RAG App
Here is the MVP Implementation Plan.