Cora — Zero-Knowledge Secret Injection for AI Agents
Cora is a zero-knowledge secret-injection system for AI agents, written in Zig. It prevents the orchestrating agent, its skills, and its plugins from ever holding raw API keys or credentials while still allowing an approved subprocess to use them.
The usual pattern—starting an agent with ANTHROPIC_API_KEY, OPENAI_API_KEY, or another credential in its environment—makes that value readable by every component inside the runtime. A prompt injection can ask for it, a plugin can inspect it, and a debug log can accidentally persist it. Cora changes the boundary instead of relying on the agent to behave perfectly.
How secret injection works
cr unlockderives a key from the passphrase with Argon2id, decrypts the portablecora.zonvault, and immediately zeroes temporary key material.cr exec TASK -- commandasks the background service to run an approved task.- The service verifies the calling binary at the operating-system level and checks the configured caller allowlist and task scope.
- Only the approved subprocess receives the requested values in its environment. The orchestrating
crprocess never reads them. - When the task exits, temporary copies are wiped with
secureZero.cr lockclears service memory and returns everything to encrypted-at-rest state.
A prompt injection asking the orchestrator to print a key receives nothing because the value was never present in that process. This is a process-boundary guarantee, not another instruction placed into the model's prompt.
Encrypted, portable storage
Secrets live in one cora.zon file encrypted with XChaCha20-Poly1305. The passphrase is processed with Argon2id. The file can move between a workstation, server, container, or CI environment without depending on a cloud vault, sync service, or operating-system keychain.
The audit trail records names and decisions rather than secret values. Cora provides commands to inspect recent execution, verify process identity, and confirm which caller and task policy allowed an injection.
Policy and task scoping
- Caller allowlist: explicitly allow or deny executable paths with
cr policy allow|deny. - Task definitions: map a named task to only the secrets it needs.
- Secret lifecycle: create, list, and delete entries without exposing them in normal command output.
- Service lifecycle: unlock only when needed, inspect status, then lock and wipe memory.
- Auditability: tail or inspect the append-only audit log without storing values.
- Interactive TUI: manage the same system through a pane-based terminal interface.
Quick start
cr init
cr secrets set ANTHROPIC_API_KEY
cr policy allow /path/to/cr
cr policy allow /path/to/claude
cr policy task add claude-task ANTHROPIC_API_KEY
cr unlock
cr exec claude-task -- claude -p "say hi"
cr audit tail
cr lock
The spawned Claude process receives the requested key. The orchestrator receives only the child process ID and exit status.
Install
Cora publishes prebuilt binaries for macOS, Linux, and Windows. Stable releases can be installed through the official script, Homebrew, Scoop, or npm:
curl -fsSL https://raw.githubusercontent.com/keton-id/cora/main/install.sh | sh
brew tap keton-id/tap
brew install cora
npm i -g @keton-id/cora
The install scripts verify release checksums. The npm package selects the matching platform-and-architecture binary through optional dependencies, with no native addon and no postinstall download.
Threat model and license
Cora is deliberately narrower than a hosted enterprise vault: it focuses on keeping agent orchestrators away from secret values while preserving a portable single-binary workflow. The repository documents its threat model, known residual risks, and responsible-disclosure process. Cora is licensed under AGPL-3.0.
Got a project? Let's scope it.
Tell me what you're building. You'll get back a real approach and what it takes to ship it.