Offline-first, end-to-end encrypted credential management for Desktop, Browser & CLI.
Aegis Vault ships with a dedicated trust documentation set for security review, GitHub visitors, and release preparation:
| Document | Scope |
|---|---|
| SECURITY.md | Security policy, supported versions, reporting, and quality gates |
| THREAT_MODEL.md | Threat model, trust boundaries, attacker assumptions, and residual risks |
| BACKUP_RECOVERY.md | Encrypted backup, restore, QR sync, import/export, and recovery handling |
| CRYPTO_VAULT_SECURITY.md | Crypto Vault + watch-only custody model and non-signing guarantees |
| PRIVACY_MODEL.md | Local-first privacy, HIBP, aliases, extension privacy, and sync exposure |
| docs/TRUST_CENTER.md | Trust center index for release evidence, audit readiness, and protocol docs |
Aegis Vault 5.0 now includes a dedicated Crypto Vault domain for offline-first crypto asset records:
- Watch-only by default - Store public receive addresses without enabling live signing or transaction broadcast
- Encrypted secret custody - Optionally store seed phrases or private keys inside the encrypted vault when explicitly selected
- Network-aware validation - Bitcoin, Ethereum/EVM, Solana, Tron, Litecoin and custom address formats are checked before saving
- Risk-aware UX - Seed/private key mode shows explicit recovery and backup warnings in both dark and light modes
- Backup-safe records - Crypto wallet metadata, derivation path, manual balance, notes and secret material are preserved across encrypted backups, JSON import/export, QR sync and canonical migration
- Mutation quality gate - Crypto wallet domain tests must stay above the 80% Stryker threshold
Aegis Vault 5.0 is a major milestone β a ground-up evolution of security architecture, privacy tooling, and user experience.
The Security Center has been transformed from a passive reporting dashboard into an active remediation engine:
- Focused Triage Mode β Step-through wizard for systematically resolving security issues by severity
- Automated Alias Rotation β One-click API-driven rotation for compromised or exposed email aliases
- 8 Security Metrics β Missing 2FA, passkey readiness, aging credentials, sharing gaps, alias exposure, alias rotation, device trust, local risk
- Review History & Trend Analytics β 7-day activity windows with reviewed/reopened/auto-resolved tracking
- Bulk Recommendations Engine β Context-aware suggestions based on current vault state
A complete masked email management platform built directly into the vault:
- Quick Alias Modal β Generate privacy-preserving email aliases in seconds
- Multi-Provider Support β SimpleLogin, Addy.io, Firefox Relay, Apple Hide My Email, plus custom providers
- API-Driven Provisioning β Direct integration with alias provider APIs for real-time alias creation
- Watchtower Risk Scoring β Per-alias risk evaluation with exposure tracking and rotation recommendations
- Alias Identity Panel β Full provider profile management with sync status, domain configuration, and audit trail
End-to-end encrypted cross-device vault synchronization:
- Push/Pull Architecture β Manual encrypted sync with sequence-based conflict tracking
- Self-Hosted Relay β Deploy your own HTTPS-only relay server for full sovereignty
- Session Management β UUID-based sessions with regeneration and device pairing
- Zero-Knowledge Transport β All data encrypted client-side before relay transmission
Premium, production-grade UI overhaul:
- Glassmorphism & Micro-Animations β Framer Motion-powered transitions throughout
- Dark Mode (Full) β Pixel-perfect dark theme with high-contrast accessibility
- Geist Typography β Inter/Geist Sans/Geist Mono font stack for professional legibility
- Adaptive Layout β Responsive from mobile to ultra-wide with view density controls (compact/comfortable)
- Clipboard Timeline β Visual countdown for auto-sanitizing copied credentials
Aegis Vault 5.0
βββ Desktop App Electron 40 + React 19 + Vite 7
βββ Browser Extension Chrome / Firefox / Safari (WXT framework)
βββ CLI Node.js β bilingual TR/EN interface
βββ Sync Relay Self-hosted HTTPS-only encrypted relay
βββ Native Host Bridge Desktop β Extension secure pairing
| Layer | Implementation |
|---|---|
| Key Derivation | Argon2id (Web Worker + WASM fallback) |
| Encryption | AES-256-GCM with per-field IV management |
| Vault Storage | SQLCipher (WASM) with OPFS / IDB fallback |
| Backup Integrity | HMAC-SHA256 envelope verification |
| Sync Transport | ECDH + AES-GCM end-to-end encryption |
| Crypto Vault | Watch-only records + encrypted seed/private key custody |
| Sharing Transport | ECDH receiver pairing + replay protection |
| Release Signing | Ed25519 manifest + trust chain verification |
| Biometric Unlock | WebAuthn (device-bound credentials) |
The vault core is decomposed into 9 dedicated service modules under src/lib/vault/:
| Service | Responsibility |
|---|---|
VaultAuthService |
Authentication, key derivation, legacy salt fallback |
VaultBootstrapService |
Database initialization, IDBβSQLite migration |
VaultCryptoService |
Field-level AES-256-GCM encryption/decryption |
VaultEntryService |
CRUD operations for all vault entry types |
VaultPinService |
PIN-based quick unlock with Argon2id verification |
VaultSearchIndexer |
Encrypted search index build and lazy migration |
VaultStorageService |
Low-level storage abstraction (SQLCipher/IDB) |
VaultTrashService |
Soft-delete, restore, auto-cleanup (30-day policy) |
VaultAttachmentService |
File attachment encryption, storage, and retrieval |
| Feature | Description |
|---|---|
| Zero-Knowledge Architecture | All encryption/decryption happens client-side; no plaintext ever leaves device |
| Offline-First Vault | Full functionality without network; encrypted local SQLite storage |
| Security Center 2.0 | Active triage engine with automated remediation and 8 security metrics |
| Alias Privacy System | Masked email generation, provider API integration, watchtower risk scoring |
| Crypto Vault + Watch-Only | Offline crypto asset records with watch-only default and encrypted secret mode |
| Sync Relay | E2E encrypted cross-device sync with self-hosted relay option |
| Emergency Access | Trusted contacts, configurable wait windows, grant TTL, full audit trail |
| Special Entry Types | Logins, credit cards, identity cards, passkeys, TOTP, secure notes |
| QR Sync | Encrypted credential transfer via QR codes with one-time-use enforcement |
| Sharing Transport | E2E encrypted entry sharing with ECDH receiver pairing & replay protection |
| Bilingual (TR/EN) | Complete Turkish/English support across UI, CLI, and documentation |
| Argon2 Web Worker | Non-blocking key derivation with automatic WASM/main-thread fallback |
| Release Trust Chain | SBOM generation, Ed25519 signing, provenance verification |
| Passkey Governance | Site inventory, WebAuthn binding, credential lifecycle management |
| Watchtower | Breach monitoring (HIBP), credential age alerts, security score gauge |
| Dark Mode | Full dark theme with high-contrast accessibility compliance |
| Metric | Score |
|---|---|
| Test Files | 108+ |
| Unit Tests | 891+ (all passing) |
| E2E Tests | 189 (16 spec files) |
| Statements | 87.36% |
| Branches | 75.4% |
| Functions | 90.6% |
| Lines | 89.43% |
| Mutation Resilience | 83.88% (Stryker gate) |
| Crypto Vault Mutation Gate | 83.67% (80% break threshold) |
| Service Category | Mutation Score |
|---|---|
| Recovery Drill | 97.00% |
| Crypto Vault Domain | 83.67% |
| WebAuthn Service | 81.71% |
| WebAuthn PRF Utilities | 76.67% |
| Mutation Gate Composite | 83.88% |
The default mutation gate focuses on deterministic security/domain modules that are suitable for Vitest mutation testing. The extended profile keeps the broad historical report shape by including legacy module families, Android-side security modules, storage/facade modules such as SQLite OPFS persistence and the VaultService orchestrator. The extended profile is diagnostic and does not block the release gate.
# Run unit tests
npm run test
# Run with coverage
npm run test:coverage
# Run E2E tests
npm run test:e2e
# Run mutation tests
npm run test:mutate
# Run crypto vault mutation quality gate
npm run test:mutate:crypto
# Run extended exploratory mutation analysis
npm run test:mutate:extended
# Full CI quality gate (lint + unit + regression + e2e)
npm run test:quality-gate- ESLint: Zero errors, zero warnings across the entire codebase
- TypeScript Strict: Full strict mode enabled (TS 5.9)
- Mutation Testing: Stryker integration for test quality validation
- Crypto Vault Gate:
npm run test:mutate:cryptofails if crypto domain mutation score drops below 80% - E2E Resilience: Playwright-based suite with
toPassassertions and async state sync - CI Quality Gate:
npm run test:quality-gateenforces lint + unit + regression + e2e - Static Analysis: CodeQL and Semgrep in CI for automated vulnerability scanning
- Node.js 20+
- npm 10+
git clone https://github.com/hafgit99/AegisVault_V.4.0.0.git
cd aegis-4.0
npm install
npm --prefix aegis-wxt install# Web UI (development)
npm run dev
# Desktop (Electron)
npm run start:electron
# Browser extension (development)
npm --prefix aegis-wxt run dev# Web production build
npm run build
# Electron package
npm run build:electron
# Browser extension
npm run build:extensionBilingual command-line interface for automation and operational workflows.
npm run cli -- help
npm run cli -- status --lang tr
npm run cli -- list --limit 25
npm run cli -- export --format json| Resource | Link |
|---|---|
| Turkish Guide | CLI KullanΔ±m KΔ±lavuzu |
| English Guide | CLI Usage Guide |
| CLI Index | docs/CLI/README.md |
| Command | Description |
|---|---|
npm run dev |
Start Vite dev server |
npm run build |
TypeScript check + Vite production build |
npm run lint |
ESLint (zero errors enforced) |
npm run test |
Run all unit tests |
npm run test:coverage |
Tests with v8 coverage report |
npm run test:e2e |
Playwright end-to-end tests |
npm run test:quality-gate |
Full CI quality gate (lint + unit + regression + e2e) |
npm run test:mutate |
Stryker mutation gate for deterministic security core |
npm run test:mutate:extended |
Extended exploratory mutation analysis |
npm run test:mutate:crypto |
Crypto Vault mutation gate, break threshold 80% |
npm run format |
Prettier code formatting |
npm run release:trust-chain |
SBOM + provenance + signing + verification |
npm run cli |
Aegis CLI interface |
| Resource | Language |
|---|---|
| Security Policy | EN |
| Threat Model | EN |
| Security Whitepaper | EN |
| Audit Application Pack | EN |
| OSS-Fuzz Application Notes | EN |
| Incident Response | EN |
| Hardening Plan | TR |
| Release Verification Guide | TR |
| Competitor Analysis | EN |
| Security Roadmap | TR |
aegis-4.0/
βββ src/
β βββ components/
β β βββ dashboard/ # Main dashboard panels (22 components)
β β β βββ SecurityCenterPanel # Security Center 2.0 with triage engine
β β β βββ QuickAliasModal # Quick alias generation wizard
β β β βββ SyncRelayControl # Sync relay push/pull controls
β β β βββ AliasPrivacyPanel # Alias privacy management
β β β βββ EmergencyAccessPanel # Emergency access controls
β β β βββ ReleaseTrustPanel # Release trust chain viewer
β β β βββ ... # Entry forms, sharing, watchtower, etc.
β β βββ onboarding/ # Setup wizard
β β βββ settings/ # Settings drawers, alias identity panel
β β βββ ui/ # Shared UI primitives
β βββ config/ # Encryption profiles, security settings, sync strategy
β βββ contexts/ # React context providers (VaultContext)
β βββ hooks/ # Custom hooks (useVaultData, useVaultSecurity, etc.)
β βββ lib/ # Core business logic (48 modules)
β β βββ vault/ # Modular vault services (9 services)
β β βββ AliasProviderService # Multi-provider alias management
β β βββ SecurityCenterService # Security scoring & triage engine
β β βββ SharingTransportService # E2E encrypted sharing
β β βββ SyncManager # Relay sync orchestration
β β βββ EmergencyAccessService # Emergency access lifecycle
β β βββ ... # Crypto, import/export, passkeys, etc.
β βββ workers/ # Web Workers (Argon2id)
βββ aegis-wxt/ # Browser extension (WXT framework)
βββ tests/ # E2E tests (Playwright, 16 spec files)
βββ guvenlik/ # Security governance documentation
βββ docs/ # Technical documentation & CLI guides
βββ scripts/ # Build, release, CI tooling
βββ relay/ # Sync relay server
This project is licensed under the MIT License. See LICENSE.
Built with security-first principles. Zero knowledge. No compromises.
Aegis Vault 5.0 β Β© 2026 hafgit99