HN
Today

Show HN: Kontext CLI – Credential broker for AI coding agents in Go

AI coding agents demand access to myriad services, often leading to insecure credential sprawl with long-lived API keys. Kontext CLI offers a robust, open-source solution, replacing static secrets with ephemeral, scoped tokens and comprehensive audit trails. This innovative approach appeals to Hacker News for its elegant handling of a critical security and governance challenge in the burgeoning AI development space.

7
Score
0
Comments
#7
Highest Rank
7h
on Front Page
First Seen
Apr 14, 3:00 PM
Last Seen
Apr 14, 9:00 PM
Rank Over Time
781117212430

The Lowdown

Kontext CLI emerges as a crucial tool for securing the expanding world of AI coding agents, tackling the precarious practice of managing credentials. It addresses the inherent risks of developers copy-pasting long-lived API keys directly into .env files or chat interfaces, offering a more secure and auditable method for agents to access external services like GitHub, Stripe, and databases.

  • Problem Solved: Prevents "secret sprawl" and lack of access lineage by eliminating the need for long-lived API keys for AI agents.
  • Core Mechanism: Replaces static secrets with short-lived, scoped access tokens, injected directly into the agent's runtime environment only for the duration of a session.
  • How It Works (User Flow): Developers declare required credentials in a .env.kontext file, then run kontext start --agent [agent_name]. The CLI handles OIDC authentication, token exchange (RFC 8693), and injects ephemeral credentials.
  • Security & Audit: Credentials exist only in memory during the session, never written to disk. Every tool call made by the agent is streamed for audit, capturing details like action, outcome, and user attribution.
  • Architecture: Utilizes a Go-based CLI and a lightweight sidecar communicating with a backend via ConnectRPC, storing OIDC refresh tokens securely in the system keyring.
  • Governance: Provides telemetry for session lifecycle and hook events, enabling visibility into agent actions without capturing LLM reasoning or conversation history.
  • Installation & Use: Simple installation via brew and a single command to launch agents (e.g., kontext start --agent claude).
  • Open Source: The CLI is open-source, written in Go, and available on GitHub under an MIT license.

By providing a "Security Token Service"-like experience specifically tailored for AI agents, Kontext CLI offers a significant leap forward in managing access, ensuring both security and compliance in a rapidly evolving development landscape.