FixIt internal · credential infrastructure
The encrypted vault for credentials, API tokens, and AI-safe secret use. Your agents borrow secrets at run time — they never see the values.
Vault
Create or unlock your encrypted vault, approve sensitive actions with Touch ID, and sync ciphertext with the Onyx server.
Bridge
The local stdio server that lets AI tools use Onyx refs without putting token values into chat history. Ships on npm as @lovinka/onyx-mcp — the launcher fetches the signed native build and verifies its SHA-256.
claude mcp add --scope user onyx -- npx -y @lovinka/onyx-mcpAutopilot
Give these to Codex, Claude Code, or another assistant so it installs the app and MCP without asking for secret values.
Every secret picks its exposure — three tiers govern what an AI agent can do with each item in your vault, the same color language the app uses everywhere.
injectableAgents can use this value at run time. It’s injected server-side and never shown to the model.
human_gatedVisible to agents as metadata only. Revealing the value requires your Touch ID approval.
ai_hiddenInvisible to every agent. This secret never leaves your vault through the MCP.
onyx.lovinka.com.claude mcp add --scope user onyx -- npx -y @lovinka/onyx-mcp (Claude Code), or npm i -g @lovinka/onyx-mcp for other clients. Prefer a fixed binary? Download the zip, unzip it, and move the whole folder to /Applications/Onyx MCP (command path /Applications/Onyx MCP/onyx-mcp).npx, args ["-y", "@lovinka/onyx-mcp"]. The MCP server talks to the running Onyx app through the local owner-only socket.