Privacy Policy

What This Policy Covers

This policy covers the Agent Secret website, the published Agent Secret macOS app and CLI, and planned provider integrations such as Google OAuth for GCP token minting. It does not replace the privacy policies for third-party services you connect to Agent Secret, such as 1Password, Google Cloud, GitHub, or Homebrew.

Website Privacy

The Agent Secret website is a static site. It does not set analytics cookies, run advertising trackers, or collect contact forms. The site is hosted by Cloudflare Pages, so Cloudflare may process ordinary server logs and request metadata needed to operate the hosting service.

Application Data

Agent Secret runs locally on your Mac. Configuration files contain secret references, not secret values. When you approve a request, the daemon fetches the approved values from your configured provider and passes them to the approved child process. The maintainer does not receive those values.

Agent Secret may write local audit metadata such as request time, working directory, command, account, approved references, result, TTL, and approval state. Audit metadata is intended to avoid raw secret values. Downstream commands you run with approved secrets are outside Agent Secret's control.

1Password Integration

Current builds use the 1Password desktop app and official 1Password SDK integration. Agent Secret asks 1Password for approved references after local approval. 1Password account data, vault membership, unlock state, and provider-side logs are governed by 1Password's terms and privacy policy.

Google OAuth And GCP Token Minting

GCP token minting is planned. When you choose to use a Google integration, Agent Secret will request the Google scopes shown by the app, configuration, or approval flow and use them to perform the local operation you requested, such as minting an access token for a specific command. Agent Secret should not request broad default scopes silently.

OAuth tokens, refresh tokens, and derived access tokens are used to perform local Agent Secret features. The project does not sell this data or share it with the maintainer. Google may process OAuth, account, token, and Cloud API activity under Google's own policies. You can revoke Google access from your Google Account security settings.

Data Sharing

Agent Secret does not operate a backend service that receives your secrets. Data is shared only when you cause it to be shared: for example, when the local app talks to 1Password or Google, when a command receives an approved environment variable, when you open a GitHub issue, or when you send a security report.

Retention And Deletion

Local configuration, caches, and audit metadata stay on your machine until you delete them or uninstall the app. Third-party providers keep their own logs and account records according to their policies. Agent Secret does not provide a hosted account dashboard because it does not operate a hosted user account system.

Security Reports

Do not include raw secret values, private secret references, vault names, or sensitive screenshots in public issues. Use GitHub private vulnerability reporting for security reports: github.com/kovyrin/agent-secret/security/advisories/new .

Changes

This policy may change as Agent Secret adds providers or changes how local approvals work. Material privacy changes should be reflected in the website and repository documentation.