Keep Secrets Out of AI.
Store Them Securely.

Block credentials from AI context windows. Store secrets in encrypted backends. Protect MCP server configs. One command to set up, zero dependencies.

View on GitHub

Full documentation

terminal
$ npx secretless-ai init

  Secretless v0.12.5
  Keeping secrets out of AI

  Detected:
    + Claude Code
    + Cursor

  Configured:
    * Claude Code
    * Cursor

  Created:
    + .claude/hooks/secretless-guard.sh
    + CLAUDE.md

  Modified:
    ~ .claude/settings.json
    ~ .cursorrules

  Done. Secrets are now blocked from AI context.

The Problem

Without Secretless

  • AI reads .env files with API keys
  • Credentials sent to remote AI APIs
  • SSH keys, cloud creds exposed in context
  • AI suggests hardcoded secrets in code

With Secretless

  • Secret files blocked before AI reads them
  • Credentials never enter the context window
  • Bash commands that dump secrets are blocked
  • AI uses environment variable references instead

How It Works

Secretless auto-detects your AI tools, blocks secret access, stores credentials in encrypted backends, and injects them at runtime.

1

Detect

Scans your project for AI tool config files. Finds .claude/, .cursorrules, .aider.conf.yml, and more.

2

Configure

Installs tool-specific protections. Hooks for Claude Code, instruction files for Cursor and Copilot, ignore patterns for Aider.

3

Store

Secrets go into encrypted backends: local AES-256-GCM, OS keychain, 1Password, Vault, or GCP Secret Manager. Never in .env files or shell profiles.

4

Inject

At runtime, secrets are injected into process memory as environment variables. AI sees the output but never the secret values.

Secret Storage Backends

Choose where secrets are stored. All backends encrypt at rest. Secrets exist only in the backend and get injected into process memory at runtime.

Local

Default

AES-256-GCM encrypted file on disk. No external dependencies. Works everywhere Node.js runs.

Zero setup
Single machine
Filesystem auth

OS Keychain

macOS + Linux

macOS Keychain or Linux Secret Service. Hardware-backed encryption on Apple Silicon. OS login auth.

OS-level encryption
Device-local sync
OS login auth

1Password

Recommended for teams

Dedicated vault via the op CLI. Biometric unlock (Touch ID). Service accounts for CI/CD. Cross-device sync.

Biometric auth
Cross-device sync
CI/CD via service accounts

HashiCorp Vault

Enterprise / self-hosted

KV v2 secrets engine. Cross-device and cross-cluster sync. Vault token authentication. Namespace isolation.

Cross-cluster sync
Vault token auth
Namespace isolation

GCP Secret Manager

Google Cloud

Google Cloud Secret Manager with IAM integration. Auto-versioned. Native to Cloud Run, GKE, and Cloud Functions.

IAM-integrated auth
Automatic versioning
Cloud-native sync
terminal
$ npx secretless-ai backend set 1password

  Backend set to 1password

$ npx secretless-ai migrate --from local --to 1password

  Migrating 4 secrets from local to 1password...
  Done. All secrets migrated.

Secret Management

Store, list, and inject secrets without exposing them to AI tools. Import from .env files or set them individually.

Store and list secrets

$ npx secretless-ai secret set STRIPE_KEY=sk_live_...
  Stored STRIPE_KEY

$ npx secretless-ai secret list
  ANTHROPIC_API_KEY
  OPENAI_API_KEY
  STRIPE_KEY
  DATABASE_URL

Inject at runtime

# Inject all secrets into a command
$ npx secretless-ai run -- npm test

# Inject only specific keys
$ npx secretless-ai run --only STRIPE_KEY -- npm start

# Import from existing .env files
$ npx secretless-ai import --detect
  Found .env (4 secrets)
  Found .env.local (2 secrets)
  Imported 6 secrets.

MCP Secret Protection

Every MCP server config has plaintext API keys in JSON files. The LLM sees them. Secretless encrypts them.

Encrypt MCP secrets

$ npx secretless-ai protect-mcp

  Secretless MCP Protection

  Scanned 1 client(s)

  + claude-desktop/browserbase
      BROWSERBASE_API_KEY (encrypted)
  + claude-desktop/github
      GITHUB_PERSONAL_ACCESS_TOKEN (encrypted)
  + claude-desktop/stripe
      STRIPE_SECRET_KEY (encrypted)

  3 secret(s) encrypted across 3 server(s).

Before: plaintext keys in JSON

{
  "mcpServers": {
    "stripe": {
      "command": "npx",
      "args": ["-y", "@stripe/mcp"],
      "env": {
        "STRIPE_SECRET_KEY": "sk_live_51Hx..."
      }
    }
  }
}

After: encrypted, injected at runtime

{
  "mcpServers": {
    "stripe": {
      "command": "secretless-mcp",
      "args": ["npx", "-y", "@stripe/mcp"],
      "env": {}
    }
  }
}

Custom Deny Rules

Define organization-specific patterns to block. Company env vars, internal config files, proprietary CLI tools. The rules file contains patterns, not secrets — safe to commit to version control.

secretless-rules.yml

# Block org-specific environment variables
env:
  - ACME_*
  - INTERNAL_DB_*

# Block proprietary config files
files:
  - "*.corp-secret"
  - "internal-config.*"

# Block commands that access internal systems
bash:
  - "curl*internal.corp.com*"
  - "vault read*"

Initialize rules

$ npx secretless-ai rules init
Glob patterns for env vars, files, and bash commands
Extends built-in rules, does not replace them
Safe to commit — contains patterns, not secrets

Test and manage rules

Preview what deny rules a pattern generates before applying. List active rules to audit coverage.

$ npx secretless-ai rules test "ACME_*"
$ npx secretless-ai rules list

AI-Safe Guard

When an AI tool tries to read a secret value, secretless detects the non-interactive context and blocks output.

AI tool runs this command
$ npx secretless-ai secret get STRIPE_KEY

  secretless: Blocked
  Secret values cannot be read in non-interactive contexts.
  AI tools capture stdout, which would expose the
  secret in their context.

  To inject secrets into a command:
    npx secretless-ai run -- <command>

Direct terminal access (human) works normally. The guard detects non-interactive execution — which is how AI tools run commands — and refuses to output secret values.

Credential Scope Discovery

Credential permissions change over time as platforms evolve. Scope discovery detects when a credential's effective permissions expand beyond its baseline, catching privilege escalation before it becomes a breach.

Discover and monitor scope drift

# Discover current permissions, save baseline
$ npx secretless-ai scope discover MY_GCP_KEY

# Compare current permissions to saved baseline
$ npx secretless-ai scope check MY_GCP_KEY

# List all stored baselines
$ npx secretless-ai scope list

# Clear a baseline to re-discover
$ npx secretless-ai scope reset MY_GCP_KEY

Supported providers

GCP — Service account key JSON via testIamPermissions
HashiCorp Vault — Token prefix detection via capabilities-self
AWS — Access key prefix detection via STS + IAM introspection

All providers use self-inspection APIs. No additional permissions required.

Broker integration

Add scopeCheck: true to any broker policy rule. The broker blocks credential access if the scope has expanded beyond its saved baseline.

Credential Broker and Data Loss Prevention

Runtime credential access control and AI transcript scanning. Detect leaked credentials in shell history and conversation logs. Available standalone or through the OpenA2A CLI.

Credential Broker

secretless-ai broker

Identity-aware credential access control daemon. Enforces deny-all policies so each credential is only accessible to authorized agents. Supports AIM identity verification, trust score constraints, and rate limiting.

$ npx secretless-ai broker start
$ npx secretless-ai broker status
$ npx secretless-ai broker stop
Deny-all by default
Per-credential policy rules
AIM identity + trust score constraints

Data Loss Prevention

secretless-ai scan / clean / watch

Scan AI tool transcripts, shell history, and conversation logs for leaked credentials. Redact findings in place or preview with dry-run. Set up real-time monitoring to catch leaks as they happen.

# Scan shell history for credentials
$ npx secretless-ai scan --history

# Redact credentials in shell history
$ npx secretless-ai clean-history

# Scan and redact AI transcripts
$ npx secretless-ai clean
$ npx secretless-ai clean --last

# Start real-time transcript monitoring
$ npx secretless-ai watch start
Shell history scanning and redaction
AI transcript credential detection
Real-time watch daemon with system daemon support
Dry-run mode for safe preview

Supported AI Tools

ToolProtection MethodStrength
Claude CodePreToolUse hook + deny rules + instructionsStrongest
Cursor.cursorrules instructionsGood
GitHub Copilot.github/copilot-instructions.mdGood
Windsurf.windsurfrules instructionsGood
Cline.clinerules instructionsGood
Aider.aiderignore patternsGood

Claude Code gets the strongest protection because it supports hooks — a shell script runs before every file read and blocks access at the tool level.

What Gets Blocked

File Patterns (20+)

Environment files
.env, .env.*, .env.local, .env.production
Private keys
*.key, *.pem, *.p12, *.pfx, *.crt
Cloud credentials
.aws/credentials, .ssh/*, .docker/config.json
Package auth
.npmrc, .pypirc, .git-credentials
Infrastructure
*.tfstate, *.tfvars
Secret directories
secrets/, credentials/

Credential Patterns (49)

Anthropic API keys
OpenAI keys (project + legacy)
AWS access keys + secret keys
GitHub PATs (classic + fine-grained)
Slack tokens (bot, user, webhook)
Google API keys + OAuth secrets
Stripe live + test keys
SendGrid keys
Supabase service + anon keys
Azure keys + connection strings
GitLab tokens (personal, project, group)
Twilio account SID + auth token
Mailgun API keys
MongoDB connection URIs
JWTs and bearer tokens
And 34 more patterns...

Git Protection

Pre-commit hook scans staged files for secrets before they enter git history. Catches what .gitignore misses.

terminal
$ npx secretless-ai hook install
  Installed pre-commit hook.

$ npx secretless-ai hook status
  Pre-commit hook: installed
  Patterns: 49 credential patterns active
0
Runtime dependencies
791
Tests
49
Credential patterns
5
Storage backends
6
AI tools supported

Get started in 10 seconds

npx secretless-ai init
GitHub