SERIES · KPM Launch
KPM Launch
I had 47 places I stored secrets. Then I built this.
A few weeks ago I went hunting for an API key. I found my secrets in 47 places. Here's what I built to fix that.
Your .env files are a liability — even when they never leave your machine
Your .env never touched git. The password leaked anyway. Nine separate places, depending on which tools you used that afternoon. Here's the better model.
One template tree, twelve clients, zero friction
Switching between clients used to be a fifteen-minute ritual. Now I just cd. Here's the profile system that makes it work.
AI coding agents make the secrets problem worse. Here's the fix.
When your AI coding agent runs, it should see the Anthropic key and the project context — not your production database password. Unless you explicitly said so.
Your AI agent gets 15-minute credentials, not your master key
Long-lived credentials made sense when humans used them. AI agents run 30 commands per session. The fix: credentials that self-destruct when the session ends.
When a credential leaks, you know everything in 30 seconds
GitHub emails you at 2am about a leaked token. Old world: rotate everything, file a ticket, investigation takes a week. New world: one command, 30 seconds, ticket closed.
Go pro for plugins — how AgentKMS stays small and gets big
AgentKMS is one binary. Everything provider-specific, audit-specific, or compliance-specific is a plugin. Here's why that matters and what the plugin API looks like.