Skip to content

unixwzrd/Secrets-Kit

BranchesTags

Repository files navigation

Secrets Kit - "stop painting API keys on argv" release

Secrets Kit

Python Platform License: MIT

Repository: Secrets-Kit · CLI: seckit · Current release target: v1.2.0

Secrets Kit is a macOS CLI that stores secret values in the login Keychain, keeps metadata on the keychain item (comment JSON), and uses ~/.config/seckit/registry.json only as an index/recovery aid—not the source of truth. It can inject selected secrets into child processes via seckit run and export shell/dotenv or encrypted backups.

Scope and limits (read first)

In scope Out of scope
macOS, Python 3.9+, security + login Keychain Hosted vault, HSM, zero-knowledge guarantees
Primary cross-host: seckit export / import (e.g. encrypted JSON) + you move the file Phone home; your Keychain password is never read by the tool
seckit run, import/export, encrypted cross-host backup Deprecated icloud backends (removed); live multi-master “sync” guarantees; iCloud Drive does not replace Keychain (see docs); protection on an already-compromised machine/session

If that trust model is unclear, use something else until it is.

Install

pip install "git+https://github.com/unixwzrd/Secrets-Kit.git@v1.2.0#egg=seckit"

Development checkout: pip install -e . in a venv. For day-to-day use, --backend secure is sufficient (no helper). Wheels still bundle seckit-keychain-helper for the legacy, unsupported --backend icloud path; see iCloud Sync Validation. Reliable host-to-host transfer: Cross-Host Validation (encrypted export).

seckit version

First commands

seckit keychain-status
seckit unlock
echo 'example' | seckit set --name DEMO_KEY --stdin --kind generic --service my-stack --account local-dev
seckit list --service my-stack --account local-dev
seckit run --service my-stack --account local-dev -- python3 -c 'import os; print("DEMO" in os.environ)'

Longer walkthrough: Quickstart

Defaults and config file

Avoid repeating --service / --account via ~/.config/seckit/defaults.json or SECKIT_DEFAULT_*. Edit from the CLI: seckit config set …, seckit config show (Defaults). registry.json is metadata only, not CLI defaults.

Documentation

Audience Start here
Everyone Documentation index
Day-to-day use Quickstart · Usage · Defaults
Security posture Security model
Agents / apps Integrations · Examples
iCloud / signing iCloud Sync Validation · Two-host manual checklist
Wheels / release GitHub release build
Deep dives Metadata registry · Cross-host validation

Contributing

Issues and PRs welcome (CLI UX, backends, docs, import/export edge cases). Local checks:

bash ./scripts/run_local_validation.sh

Updated: 2026-05-05

Support / license

Copyright 2026 unixwzrd@unixwzrd.aiMIT License

About

Local runtime secrets for macOS AI, agents, and automation. Keep API keys out of .env files, shell history, argv, and launchd plists.

unixwzrd.ai/projects/Secrets-Kit/

Topics

macos shell devops dotenv automation keychain environment-variables tokens developer-tools secret-storage local-development opsec security-tools secrets-management api-keys macos-cli credential-management agent-workflows dev-sec-ops security-hygiene

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

# Secrets Kit v1.2.0 - "stop painting API keys on argv" release Latest
May 5, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages