ShellFrame AI Open console

Security model

Local vault and MCP secret broker for AI agents that need API access.

ShellFrame AI is designed around a local secret boundary: agents can keep using normal developer workflows while real secrets stay in the AgentSecure vault and resolve only for approved MCP-backed API calls.

Last updated June 1, 2026 Local vault MCP broker
Vault

Secrets stay on the machine

Real API keys, raw `.env` values, prompts, request bodies, and source files are not required by the cloud console.

Placeholder

Agents see names, not values

agentsecure start rewrites `.env` with safe placeholders like ${API_KEY}.

MCP

Approved calls can resolve secrets

The MCP broker resolves local vault values only for destinations approved by the developer or team.

Trust boundary

What the cloud can and cannot see.

The console is for coordination and visibility. It can manage destination approvals, MCP setup metadata, devices, and audit summaries without receiving raw secret material.

Cloud can see

  • Approval names, versions, assignments, and sync status
  • Device and session metadata
  • MCP server status
  • Approved destinations and audit summaries
  • Placeholder names used by approved requests

Cloud cannot see

  • Real API keys or database credentials
  • Raw `.env` contents
  • Secret values behind placeholders
  • Source code
  • Agent prompts or request bodies

Secret controls

How AgentSecure keeps values local.

.env import

agentsecure start imports real `.env` values into the local vault instead of leaving them in files that agents can read.

Backup and restore

AgentSecure writes a backup before rewriting files, so humans can restore the original local `.env` when they need it.

Safe placeholders

Agents see placeholders such as ${OPENAI_API_KEY}. They can reason about required values without receiving the values themselves.

Generated AGENTS.md

Generated repo guidance tells agents to use MCP tools instead of asking humans to paste secrets into prompts.

MCP HTTP broker

The main tool, agentsecure.http.request, resolves a placeholder locally and sends an approved request to the destination.

Audit without values

Audit records can show placeholder names, approved destinations, and tool usage without logging secret values or request bodies.

Example scenario

An agent needs a secret-backed API call.

The agent sees ${STRIPE_SECRET_KEY} in the repo. It calls the MCP broker with the placeholder, destination, and purpose. AgentSecure resolves the value locally only if the destination is approved. 

$ agentsecure.http.request
url: https://api.stripe.com/v1/customers
auth: ${STRIPE_SECRET_KEY}

agentsecure:
  destination approved
  placeholder resolved from local vault
  value_logged: false

audit: placeholder + destination only

Limitations

Security is layered, not magical.

ShellFrame AI is defense in depth for AI coding agent workflows. It reduces accidental secret exposure by moving real values out of agent-visible files, but it is not a full VM, container sandbox, or guarantee against every local compromise, malicious dependency, misconfiguration, or bypass outside the configured workflow.

Evaluate the boundary before connecting agents to real projects.

Start with agentsecure start, review the placeholder rewrite, then decide which destinations may receive which local vault values through MCP.

Contact security