opena2a secrets
Credential management for AI coding tools. Adapter for Secretless.
Usage
opena2a secrets [options]Description
Delegates to Secretless AI for credential lifecycle management. Supports OS keychain storage, 1Password integration, vault backends, and MCP context protection. Prevents credential leakage in LLM tool contexts.
This command passes all flags through to secretless-ai. See Secretless documentation for the full reference.
Common Operations
opena2a secrets initopena2a secrets verifyopena2a secrets scanSubcommands
| Subcommand | Description |
|---|---|
init | Initialize Secretless configuration in the current project. Creates .secretless.json and configures blocked file patterns. |
verify | Check that credential configuration is correct and no secrets are exposed in AI tool contexts. |
scan | Scan the project for hardcoded credentials, leaked API keys, and exposed secrets. |
status | Show current Secretless configuration, backend type, and protection status. |
backend set <type> | Configure the credential storage backend: local, keychain, 1password, vault, or gcp. |
migrate <from> <to> | Migrate credentials between storage backends. |
Storage Backends
Secretless supports multiple credential storage backends. The default is local which stores credentials in the OS keychain. You can switch backends depending on your security requirements and team workflow.
| Backend | Description |
|---|---|
local | OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service). |
keychain | Direct OS keychain access without abstraction layer. |
1password | 1Password integration via CLI or Connect Server. |
vault | HashiCorp Vault KV secrets engine. |
gcp | Google Cloud Secret Manager. |
Example Workflow
# 1. Initialize Secretless in your project opena2a secrets init # 2. Verify the configuration is correct opena2a secrets verify # 3. Scan for any exposed credentials opena2a secrets scan # 4. Switch to 1Password backend (optional) opena2a secrets backend set 1password # 5. Migrate existing credentials opena2a secrets migrate local 1password
Expected Output
$ opena2a secrets verify
Secretless AI - Credential Verification
========================================
Backend: local (OS keychain)
Config: .secretless.json found
Blocked patterns: .env, .env.*, *.key, *.pem
Protected tools: Claude Code, Cursor, Windsurf
Status: All credentials properly secured
No secrets found in AI tool contextsError Handling
If secretless-ai is not installed, the command prints installation instructions and exits with code 1. When running secrets scan in CI mode (--ci), any detected credential exposure causes a non-zero exit code. The backend set command validates backend availability before switching and reports clear error messages if the target backend (such as 1Password CLI or Vault) is not accessible.