Private alpha · plaintext only at exec

Built to be unseen.

Shroud is a terminal layer for AI coding agents. Secrets become references; plaintext resolves only at execution, under scoped UCAN + DID capabilities — never inside model context.

Request access →Whitepaper

shroud · live demo recdid:key:z6MkAgent… guarded

agent$

a recorded session — secrets never reach the model

Works with the models you already run

How it works

Reference. Authorize. Resolve.

The agent never needs the literal key — it needs the authority to use the key for a bounded purpose. Shroud turns that authority into a local, auditable runtime protocol.

Step 1

.env guarded

OPENAI_API_KEY=sk-proj-7Qd9…m2A

OPENAI_API_KEY=$SHROUD_REF(OPENAI_KEY)

STRIPE_KEY=sk_live_4fK9…

STRIPE_KEY=$SHROUD_REF(STRIPE_KEY)

Agents see references

Environment files and commands carry stable symbolic references instead of secret values.

Step 2

capabilityUCAN

issdid:key:z6Mk…Operator

auddid:key:z6Mk…Agent

cansecret/read

withvault://OPENAI_KEY

exp+1h

attenuated · narrows only

Access is scoped

You grant secret/read to an ephemeral agent DID — one resource, one bounded time window.

Step 3

execpid 48213

fork() → resolve(OPENAI_KEY)

↳ injected into child · never in context

execve() · 200 OK

journal · hash-chained

17:42:13secret/read✓

Plaintext only at exec

The shim resolves references after the command is emitted, injects into the child process, and journals it.

Why Shroud

Three leak paths. One boundary.

Coding agents leak through file reads, environment inspection, and command output. Shroud narrows all three to symbolic handles — the model gets a reference, the value stays in the vault until the moment of execution.

File ingestion

cat .env reads a reference, not a key.

Environment leakage

printenv shows handles; injection happens post-fork.

Command output

The proxy redacts echoes and raises an audit event.

Dimension

Bare shell

With Shroud

Secret in model context

sk-proj- — plaintext visible to the model

$SHROUD_REF(NAME) — never the value

Leak on .env read

Key enters the transcript:

Reference enters; value stays in the vault

Access scope

Ambient shell authority

Per-resource, time-boxed UCAN capability

Revocation

Rotate the key everywhere

Revoke one capability, instantly

Auditability

Hope your logs caught it

Hash-chained journal of every resolution

Capabilities

Small primitives. Hard boundary.

Shroud is intentionally narrow: keep secrets local, expose references, authorize resolution, and leave a trail.

Agent identity

Each agent gets a leash.

Every session receives an ephemeral DID and only the UCAN scopes you approve.

root

operator DID

grant

UCAN

runtime

agent DID

secret

vault://key

attenuation only narrows — sub-agents can hold less authority than their parent, never more

Audit trail

Every resolution, journaled.

17:42:13secret/readOPENAI_KEY✓

17:42:19secret/readSTRIPE_KEY✓

17:43:02secret/readPROD_DB_URLdenied

17:44:51secret/readGH_TOKEN✓

Hash-chained · tamper-evident · shroud audit

Local vault

Nothing leaves your machine.

Secrets stay encrypted at rest in ~/.shroud/vault.age, held in locked memory during a session. Hardware-backed keys where available.

Symbolic references

Names, never values.

Agents operate on $SHROUD_REF(STRIPE_KEY) — stable across rotations, useless in a transcript.

Revocation

One command, instant.

shroud revoke kills a capability by CID. Fail-closed — no rotating the key across every service.

Whitepaper

Capability-mediated terminals for AI agents.

The full technical draft: threat model, cryptographic foundations, the Shroud protocol, reference implementation, residual risks, and evaluation across 47 agent workflows.

Whitepaper →

Shroud: A Capability-Mediated Terminal for AI Coding Agents

Shroud Research

team@useshroud.com

Abstract. Any secret reachable from the shell is, by default, reachable by the model. Shroud mediates all read access to secret material via a capability-based authorization protocol: secrets are stored in a local vault, referenced by agents only through opaque names, and injected into command invocations at execution time…

PDF

FAQ

Questions, answered.

The short version of what people ask first. The whitepaper covers the rest in depth.

Does my agent need to change?

No. Claude Code, Codex, Cursor, Aider and other agents run unmodified. Shroud wraps the terminal session — agents simply see references instead of values.

Where do my secrets live?

In an encrypted local vault on your machine (~/.shroud/vault.age), unlocked per session and held in locked memory. No secret ever leaves your machine.

What if a tool genuinely needs the key?

It gets it — at execution time. The shim injects plaintext into the child process after fork, before exec. The agent and the model context never hold it.

Can I see what was accessed?

Every resolution, denial, and revocation is appended to a hash-chained local journal. shroud audit shows you exactly what happened, when, under which capability.

What happens when I revoke?

shroud revoke invalidates the capability by CID instantly. The next resolution attempt fails closed — no rotation scramble across every service.

Give your AI the work.
Keep the secret unseen.

Early builds are shared manually with setup help. No public download yet.