I didn't build Keyhole to solve secret management, there are tools like Doppler for that. It lets the agent handle a secret without having it in context. It can put it where it's needed (e.g. a .env) without ever reading the value.
> Does the agent decrypt it and set it in a .env?
The CLI does it, and the .env can be chmod 600.
> Is the CLI required to be used in the build process?
That's not what I built it for, I'd reach for other tools on the market for that.
> Does the agent decrypt it and set it in a .env?
The CLI does it, and the .env can be chmod 600.
> Is the CLI required to be used in the build process?
That's not what I built it for, I'd reach for other tools on the market for that.