Gives Claude local vault operations for API keys and secrets without shipping them to the cloud. Exposes add, get, rotate, and audit-log commands against an encrypted SQLite vault that stays on your machine. The guard preflight scans repos for leaked credentials and unhardened MCP config before you hand them to an agent or push to GitHub. Useful when you're building agents that need production keys but you want audit trails and rotation without a network dependency. Supports macOS Keychain integration for daemon workflows and scriptable password sources for CI. The rotate-master command re-encrypts the entire vault transactionally if a team member leaves or a password leaks.
claude mcp add --transport stdio com.nautaai-holster-mcp uvx holster-mcp