Skip to content

v0.2.1 — Real --strict + --secure

Choose a tag to compare

View all tags
@TheGenXCoder TheGenXCoder released this 22 Apr 18:50
· 50 commits to main since this release
v0.2.1
53270e7

KPM v0.2.1 — real --strict, new --secure, paired with AgentKMS v0.3.1.

This is the client half of the v0.3 launch's second wave. --strict was a parse-only stub in v0.2.0; it now holds no session key and round-trips every decrypt to AgentKMS over mTLS. --secure is new: a per-tool allow-list filter so your AI coding agents get only the credentials they need — nothing more.

Design series: 7-part deep dive at blog.catalyst9.ai. Part 4 covers --secure (the allow-list model for AI agents). Part 2 covers the strict-mode threat model.

Highlights

kpm run --secure — per-tool allow-list filter

# .kpm/secure-allowlist.yaml
claude:
  - ANTHROPIC_API_KEY
cursor:
  - ANTHROPIC_API_KEY
  - OPENAI_API_KEY
gh:
  - GH_TOKEN
$ kpm run --secure -- claude "fix the failing test"
  • Allow-list lookup is first-wins: project-local .kpm/secure-allowlist.yaml beats user-global $XDG_CONFIG_HOME/kpm/secure-allowlist.yaml. No merge.
  • Exact EnvKey match only in v0.2.1. Wildcards land in v0.3.
  • Tool not in allow-list → KPM drops KMS secrets for that invocation and prints a stderr warning, but still runs the child.
  • --secure without a template → hard error.
  • --secure + --strict compose: filter first, strict-wrap what survives.

kpm run --strict — per-decrypt mTLS round-trip

In v0.2.0 the --strict flag parsed and did nothing. In v0.2.1 it works:

  • The listener holds no session key and performs no local decryption.
  • ENC[kpm-strict:...] blobs encode the KMSReference (path, key, type) as base64-JSON — not ciphertext.
  • Each UDS decrypt request round-trips to AgentKMS over mTLS and gets individually policy-checked + audited.
  • Session TTL is irrelevant in strict mode — there's no session key to expire.
  • --strict + --plaintext → hard error.
  • AgentKMS denial → child gets unset env var + stderr error log.

Use this mode for production credentials where "session compromise means temporary exposure" is not acceptable.

//blog:part-N cross-reference annotations

CLI flag definitions and shell-init wiring now carry //blog:part-N comments pointing to the blog posts that describe them. The blog repo's new audit CI uses these to detect drift when a flag is renamed or removed.

Compatibility

AgentKMS version KPM v0.2.1 support
v0.3.1+ Full — --strict + --secure + dynamic credentials + MCP + forensics + plugin backends
v0.3.0 Full — same as v0.3.1 minus the plugin-host protobuf + webhook idempotency fixes
v0.2.0 Registry + encrypted-env + --secure work; --strict degrades gracefully (returns clear error on unknown endpoint)
< v0.2.0 Not tested, not recommended

Installation

# One line — prebuilt binary, no Go required
curl -sL kpm.catalyst9.ai/install | bash

# Local dev
kpm quickstart

Requirements

  • AgentKMS v0.3.1+ recommended for full --strict functionality
  • Go 1.21+ only required for source builds (--source-only)

Breaking changes vs v0.2.0

  • None. --strict behavior is new; existing non-strict callers unaffected.

What's next (v0.3.0)

  • kpm import --scan — find secrets in existing config files
  • Windows support
  • Dedicated client commands for the AgentKMS v0.3 server surface: kpm credential vend, kpm forensics inspect, plugin backend introspection
  • Wildcard support in --secure allow-list

Security

  • Independent code review of --secure and --strict — both approved
  • Strict-mode blob format audited: contains no secret material, only KMS reference metadata (path, key, type, default)
  • Coverage: 78.9% on internal/kpm (75% CI gate)
Assets 6
Loading