Kpm on Catalyst9 Engineering

Kpm on Catalyst9 Engineeringhttps://blog.catalyst9.ai/tags/kpm/Recent content in Kpm on Catalyst9 EngineeringHugoen-usMon, 04 May 2026 00:00:00 -0600I had 47 places I stored secrets. Then I built this.https://blog.catalyst9.ai/posts/part-1-scattered-secrets/Tue, 21 Apr 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-1-scattered-secrets/A few weeks ago I went hunting for an API key. I found my secrets in 47 places. Here’s what I built to fix that.Your .env files are a liability — even when they never leave your machinehttps://blog.catalyst9.ai/posts/part-2-env-files-liability/Wed, 22 Apr 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-2-env-files-liability/Your .env never touched git. The password leaked anyway. Nine separate places, depending on which tools you used that afternoon. Here’s the better model.One template tree, twelve clients, zero frictionhttps://blog.catalyst9.ai/posts/part-3-multi-client/Fri, 24 Apr 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-3-multi-client/Switching between clients used to be a fifteen-minute ritual. Now I just cd. Here’s the profile system that makes it work.AI coding agents make the secrets problem worse. Here's the fix.https://blog.catalyst9.ai/posts/part-4-ai-agents/Mon, 27 Apr 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-4-ai-agents/When your AI coding agent runs, it should see the Anthropic key and the project context — not your production database password. Unless you explicitly said so.Your AI agent gets short-lived credentials, not your master keyhttps://blog.catalyst9.ai/posts/part-5-dynamic-secrets/Wed, 29 Apr 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-5-dynamic-secrets/Long-lived credentials made sense when humans used them. AI agents run 30 commands per session. The fix: credentials that self-destruct when the session ends.When a credential leaks, you know everything in 30 secondshttps://blog.catalyst9.ai/posts/part-6-forensics/Fri, 01 May 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-6-forensics/GitHub emails you at 2am about a leaked token. Old world: rotate everything, file a ticket, investigation takes a week. New world: one command, 30 seconds, ticket closed.Go pro for plugins — how AgentKMS stays small and gets bighttps://blog.catalyst9.ai/posts/part-7-plugin-model/Mon, 04 May 2026 00:00:00 -0600https://blog.catalyst9.ai/posts/part-7-plugin-model/AgentKMS is one binary. Everything provider-specific, audit-specific, or compliance-specific is a plugin. Here’s why that matters and what the plugin API looks like.