vault-conductor

I built vault-conductor to eliminate the invisible technical debt that accumulates in our ~/.ssh directories. Any developer who moves between environments knows the friction of the "forwarding trap", exposing your local socket to a jump box, or the "session hand-off" problem where a stale SSH_AUTH_SOCK in a remote tmux session breaks your Git commit signing workflow. These aren't just annoyances, they are security failures waiting to happen because they push us toward dangerous workarounds like recycling "master" keys, stripping passphrases to avoid prompt fatigue, or leaving unencrypted private key files scattered across multiple machines. I wanted a solution that stopped treating identity like a static configuration file. By making Bitwarden Secrets Manager the single source of truth, vault-conductor ensures keys are served strictly from memory with zero disk footprint. It solves the "socket rot" of traditional setups and allows for centralized revocation. If a laptop is lost, you simply revoke the machine-token in Bitwarden Secret Manager web dashboard, rather than hunting down authorized_keys across your servers.