I built a way for coding agents to use secrets with O seeing them Developer pdumicz released Secret Shuttle, a local bridge that lets AI coding agents use secrets like API keys without ever seeing the plaintext values. The tool stores secrets in a local daemon vault and exposes only references and metadata to agents, closing a security gap in existing secret management tools. Currently in beta, it supports Claude Code, Codex, Cursor, and Copilot. Reading this as an AI coding agent?Your starting point is skills/secret-shuttle/SKILL.md raw URL: https://raw.githubusercontent.com/pdumicz/secret-shuttle/main/skills/secret-shuttle/SKILL.md . The SKILL is your operational manual; this README is for humans. Let AI agents use secrets without seeing them. ▶ Walk through the interactive demo → https://pdumicz.github.io/secret-shuttle/demo/?scene=0 · opens on the one-approval provision flow, then a 9-scene click-through of the low-level mechanics — a dev shipping a Stripe webhook secret to Vercel prod without ever seeing the value. Status: 0.5.0 — beta.The architecture has been through multiple bursts of adversarial security review with fixes shipped at each gate. Not yet independently audited; recommend test accounts and rotating tokens until that audit lands. Suitable for development workflows and prototype deployments. Secret Shuttle is a local bridge that lets coding agents — Claude Code, Codex, Cursor, browser-using agents — capture, generate, store, compare, and inject secrets through browser and CLI workflows. The agent sees only refs like ss://stripe/prod/STRIPE WEBHOOK SECRET , fingerprints, field metadata, and status — never the raw value. Those tools sync secrets across environments — they assume a human or a CI runner is the consumer. Secret Shuttle assumes an AI coding agent is the consumer, and treats every plaintext touch as a leak vector. | Tool | Where secrets live | Who sees plaintext | Agent-aware? | |---|---|---|---| | Doppler / Infisical | Cloud vault | Anyone with read access incl. agents querying it | No — sync model | | 1Password CLI | OS keychain | Caller process; op read writes to stdout | No | | Vercel envs et al. | Vendor backend | Engineers via dashboard; build runners via env | No | Secret Shuttle | Local daemon vault | Only the daemon's child processes templates | Yes — agent sees only refs | If your secrets already live in a sync tool and an agent never touches them, you don't need Secret Shuttle. If you have an agent writing code that needs to ship secrets to Vercel/GitHub/etc, and you want the agent to do that without the bytes entering its context — that's the gap this closes. npx secret-shuttle init This starts the local daemon and walks you through creating a vault passphrase in a local web window that only the daemon owns — the CLI never reads it. Touch ID isn't a first-run prompt: it's how later unlocks work once the vault key is enrolled in the OS keychain. init enrols the keychain by default when it creates the vault — pass --no-keychain to opt out, or run secret-shuttle keychain enable later. After init completes the daemon is running and you are ready to use the CLI or hand it to an agent. If you're configuring an agent to use Secret Shuttle, paste this raw skill URL into the agent it's the canonical operating manual : https://raw.githubusercontent.com/pdumicz/secret-shuttle/main/skills/secret-shuttle/SKILL.md If you have the CLI installed locally, run one of these from your project root and the platform-specific instructions file is written for you: secret-shuttle agent install claude → .claude/skills/secret-shuttle/SKILL.md secret-shuttle agent install codex → AGENTS.md snippet marker-managed secret-shuttle agent install cursor → .cursor/rules/secret-shuttle.mdc secret-shuttle agent install copilot → .github/copilot-instructions.md snippet marker-managed secret-shuttle agent print-skill-url → the raw URL one line, paste it Snippet targets AGENTS.md, .github/copilot-instructions.md wrap the Secret Shuttle block in < -- secret-shuttle:begin -- / < -- secret-shuttle:end -- markers — re-running agent install only replaces the marked block, never the surrounding content. Agent CLI untrusted client | | localhost HTTP, bearer token from ~/.secret-shuttle/daemon-socket.json v Secret Shuttle daemon - vault key in memory only, after passphrase unlock through web UI - approval grants single-use, 2-min TTL, bound to action/ref/domain/target/field/template - browser owner — talks raw CDP over a pipe - filtered CDP WebSocket proxy exposed to the agent - safe command-template runner no shell, no arbitrary commands The daemon owns every secret moment. The agent sees refs and status, never raw values, never the raw Chrome CDP URL, never the vault key. CLI templates most reliable . Push a secret to Vercel / GitHub Actions / Cloudflare / Supabase — the value goes to the vendor's own CLI, never through the agent. This is the path the hero demo above shows. Universal browser handoff experimental . Your agent drives any vendor portal with its normal browser tool, and hands off only the secret moment — it marks the field, the daemon types/reads it under blind mode with the agent's view severed. No per-vendor recipe; it works on a portal nobody integrated. The browser path is early v0.5, best-effort, pending real-page verification : the guarantee is "the agent never sees the plaintext," not "a hostile destination page can't exfiltrate a secret you enter." See SECURITY.md /pdumicz/secret-shuttle/blob/main/SECURITY.md ; for untrusted destinations, prefer the CLI path. secret-shuttle provision --secret INTERNAL CRON SECRET \ --from random 32 bytes \ --environment production \ --to vercel:production production secret — approve in the window the daemon opens secret-shuttle secrets list --env production secret-shuttle secrets get-ref ss://local/prod/INTERNAL CRON SECRET secret-shuttle audit --since=1d For the full browser walkthrough see examples/stripe-to-vercel/walkthrough.md /pdumicz/secret-shuttle/blob/main/examples/stripe-to-vercel/walkthrough.md . secret-shuttle template list secret-shuttle template run vercel-env-add \ --ref ss://stripe/prod/STRIPE SECRET KEY \ --param name=STRIPE SECRET KEY \ --param environment=production Templates run vetted binaries with shell: false , absolute paths only, and never echo stdout/stderr back to the agent. - TypeScript CLI distributed as secret-shuttle - Local daemon with bearer-authenticated HTTP API on 127.0.0.1 - Passphrase-derived envelope around the vault master key scrypt + AES-256-GCM ss://source/env/name refs- Generate, capture focused field / selection , inject, compare — all routed through the daemon - Inject runs inside a daemon-managed blind window no manual blind start - Agentic blind transactions: inject-submit writes a stored secret into a marked field, clicks the marked submit control, waits for the approved success marker, and proves the raw secret is absent from every daemon-observable surface before auto-resuming. reveal-capture clicks a marked reveal control, captures the now-visible bytes from a marked field or ancestor container, hides them, and writes them to the vault only after the absence proof passes secret-shuttle browser mark focused|pick --as