Resurgamus Open Source

Resurgamus Horizon

A self-hosted secrets vault. Encrypted, auditable, revocable credentials for your automations and your AI agents.

AGPL-3.0 Self-hosted Audit-first Post-quantum core

≈ 1 minute to a free try, on your own machine:

curl -fsSL https://raw.githubusercontent.com/JR-Shdw/Horizon/main/tools/quickstart-laptop.sh | bash

See it live

The real application, running in your browser on demo data. Watch the tour or take the controls, nothing is installed and no real secrets are involved.

vault.lan — live demo

The problem

Millions of people paste client credentials into a chat window or leave them in a plaintext .env file. It works, until it does not: no audit trail, no revocation, no idea who read what. As AI assistants get plugged into real workflows, that surface only grows.

The same thing, but auditable and revocable

Horizon keeps your secrets encrypted and only releases them to the apps and people you have granted access to. Every read is written to a tamper-evident log. Give an AI agent access to one client folder, watch what it reads, revoke it in one click. You host it: nobody else holds your keys.

What it does

Encrypted vault

Proven crypto primitives (libsodium). Each secret has its own key; the master key never touches disk.

Sealed by default

After a reboot nothing is readable until a human unlocks it. 2FA via security key, TOTP or YubiKey.

Tamper-evident audit

Every read and write is chained and signed. Exportable per client for reporting.

Built for AI agents

Native MCP integration for Claude, Cursor and others. The agent sees tool names, never the raw vault.

Short-lived credentials

Dynamic secrets for PostgreSQL, MySQL and LDAP with automatic expiry. No long-lived password lying around.

Yours, and open

AGPL-3.0, no SaaS dependency, no vendor lock-in. Runs on Linux, macOS, BSD, and Windows via WSL/Docker (native support coming soon).

FIPS 204 · ML-DSA · ML-KEM

Ready for the post-quantum era

Quantum computers will one day break classical encryption. Horizon's core is already resistant: post-quantum storage primitives, hybrid TLS (X25519MLKEM768), and a PKI that signs with ml-dsa-65 (FIPS 204). Your secrets stay protected, today and tomorrow.

Built for AI agents (MCP)

Your AI assistant connects through the Model Context Protocol: a scoped, audited, revocable door into the vault. It never sees your raw secrets.

AI
Claude / Cursor
your assistant
Bearer rh_…
MCP
MCP server
policy, fail-closed
tool call
H
Horizon vault
scoped, audited
vault_statusvault_whoamivault_list_namespaces vault_list_secretsvault_get_secretvault_audit_tail

The model sees tool names, never vault endpoints. No write tools. Every read is attributed to the agent's own token in the audit chain.

One secret, three ways

Scriptable, API-first, and a UI. Create the same secret from your terminal, your code, or the browser.

CLI
API
POST /api/v1/vault/secrets/
curl -X POST \
  -H "Authorization: Bearer rh_…" \
  -H "Content-Type: application/json" \
  -d '{"name":"stripe-key",
       "value":"sk_live_…",
       "namespace":"clients"}' \
  https://vault.lan/…/secrets/
→ 201 Created
Web
stripe-key
••••••••••
clients
✓ saved (v1)

Who it is for

From the solo developer to multi-site, highly available infrastructure. Horizon is a professional-grade vault: HA clustering (Patroni, replication, automatic failover), Docker or Kubernetes deployment, agents for every OS (Linux, macOS, BSD, Windows), quantum-resistant encryption, built-in PKI, dynamic secrets, LDAP/SSO and a tamper-evident audit chain. The same rigor as the big players, whether you run three scripts or a thousand servers.

My credo: professional-grade data security must be within everyone's reach. Horizon is free and open source, on purpose. Protecting your data is a right, not a privilege.
Security note: a vault holds every secret of your infrastructure. Horizon is designed for private networks and VPN, never for public Internet exposure.

NIS2 and CRA

NIS2

Horizon helps entities subject to NIS2 implement several risk-management measures: secrets and privileged-access management, encryption, MFA, and an audit log for traceability and incident detection.

CRA

Horizon helps makers of digital products meet their own CRA obligations, by keeping secrets out of their code and providing auditable access management.

Horizon is a tool that helps with compliance; it is not itself a certification.

Try it, take back control of your secrets

Horizon is free and open source. The code and the full documentation live on GitHub.

View on GitHub