Show HN: Kontext CLI – Credential broker for AI coding agents in Go
TL;DR Highlight
This open-source CLI tool securely injects short-lived tokens into AI coding agents when accessing external services like GitHub, Stripe, and databases, avoiding the exposure of long-term API keys. It's gaining attention as a replacement for the risky practice of copy-pasting keys into .env files.
Who Should Read
Developers or team leads who have deployed AI coding agents like Claude or Copilot but are concerned about API key management. Specifically, backend/DevOps engineers who need to grant agents access to external services and want to reduce security risks.
Core Mechanics
- AI coding agents need access to external services like GitHub, Stripe, and databases, but most teams currently copy and paste long-term API keys into .env files. This approach carries a high risk of key leakage and lacks governance.
- Kontext CLI solves this problem by acting as a 'Credential Broker'. Agents don't directly hold keys; instead, they receive short-lived tokens at session start, which automatically expire at the end of the session.
- By declaring the credentials a project needs in a `.env.kontext` file, the CLI replaces placeholders with actual short-lived tokens using the RFC 8693 Token Exchange standard when the `kontext start` command is executed, then runs the agent.
- Every Tool Call made by the agent is streamed to the Kontext dashboard and recorded for audit and governance purposes. You can track which agent accessed which service and when.
- For static API keys (services that don't support OIDC), the backend directly injects the keys into the agent's runtime environment. However, it was noted that the keys could still be readable within the agent's environment.
- Installation is simple with `brew install kontext-security/tap/kontext`, and direct binary installation is also supported from GitHub Releases. It's an open-source project written in Go.
- The OSS CLI appears to function as a client for a paid backend service. There have been many questions from the community about the credential storage model and the boundary between OSS and paid features, but an official answer remains unclear.
Evidence
- Questions were raised about whether the OSS CLI is a client of a paid service and whether credentials are stored on the Kontext server. Concerns were expressed about the lack of transparency in the custody model (where my keys are stored), and opinions were shared that a clear trust model is necessary for a security tool.
- In response to the explanation that static API keys are directly injected into the agent's runtime environment by the backend, a counterargument was made: 'Then what prevents the agent from reading and storing or leaking the key from the environment variable?' A deeper security concern was also raised that if the agent process runs with the same user privileges, the key could be extracted from the kontext process memory.
- Comments compared it to projects with similar approaches, such as Tailscale Aperture and OneCLI. Questions were asked about the differentiators, indicating that competition in this area has begun.
- An alternative idea using eBPF was suggested. By monitoring network I/O and intercepting requests, tokens and signatures could be injected at runtime, allowing agents to only be given placeholder tokens and eliminating the need for additional abstraction layers.
- The context-based authorization feature – 'issuing credentials only when the intention of the agent's reasoning trace matches what the user has authorized' – received attention. This feature was evaluated as a key differentiator from existing solutions.
How to Apply
- If you need to give an AI coding agent like Claude or Cursor access to the GitHub API or Stripe keys, declare the necessary credentials in a `.env.kontext` file and run the agent with `kontext start` to operate with session-limited tokens without exposing long-term keys.
- If you're using AI agents as a team and need audit logs of who accessed which services, leverage Kontext's dashboard streaming feature to record all Tool Calls and establish a governance system.
- If you need to allow agent access to legacy services (internal APIs, older SaaS, etc.) that don't support OIDC, use Kontext's static key injection method, but additionally review sandboxing to prevent the agent from directly reading environment variables.
- If you're interested in an eBPF-based approach, refer to the riptides.io case mentioned in the comments to explore the option of replacing tokens at the network layer without modifying the agent code.
Code Example
# Installation
brew install kontext-security/tap/kontext
# Or direct binary installation (macOS ARM)
tmpdir="$(mktemp -d)" \
&& gh release download --repo kontext-security/kontext-cli \
--pattern 'kontext_*_darwin_arm64.tar.gz' \
--dir "$tmpdir"
# Declare necessary credentials in .env.kontext file and run agent
kontext startTerminology
Related Papers
Show HN: ctx – Search the coding agent history already on your machine
Claude Code, Cursor, Codex 등 코딩 에이전트가 이전 세션의 논의·결정·실패 시도를 잊지 않도록 SQLite로 인덱싱해 재사용할 수 있게 해주는 오픈소스 CLI 도구다.
Micro-Agent: Beat Frontier Models with Collaboration Inside Model API
vLLM 팀이 단일 모델 API 호출 뒤에서 여러 모델이 협업하는 'Micro-Agent' 개념을 공개했습니다. 별도의 에이전트 코드 없이 라우터 레이어에서 모델 조합을 실행해 GPT-4급 결과를 더 저렴하게 낼 수 있다는 아이디어입니다.
Ornith-1.0: self-improving open-source models for agentic coding
Gemma 4와 Qwen 3.5를 기반으로 파인튜닝한 코딩 특화 오픈소스 모델로, RL(강화학습)을 통해 스캐폴드(에이전트 실행 구조)까지 함께 최적화하는 방식을 주장하지만, 커뮤니티에서는 벤치마크 과최적화에 불과하다는 의심을 받고 있다.
Entity Binding Failures in Tool-Augmented Agents
AI 에이전트가 올바른 도구를 선택해도 잘못된 대상에 실행하는 'Entity Binding 실패' 문제를 정의하고, 이를 막는 실행 정책을 평가한 논문.
Herdr: Agent multiplexer that lives in your terminal
여러 AI 코딩 에이전트(Claude, Codex 등)를 하나의 터미널에서 동시에 실행·관리할 수 있는 Rust 기반 오픈소스 툴로, tmux처럼 세션이 유지되고 SSH로 원격 접속도 가능해 멀티 에이전트 워크플로우를 크게 단순화해준다.
Ornith-1.0: Self-scaffolding LLMs for agentic coding
모델이 문제 풀이 전략(scaffold)을 직접 생성하고 개선하는 자기강화 학습 프레임워크를 적용한 오픈소스 코딩 특화 LLM으로, 9B 소형 모델부터 397B 대형 모델까지 라인업을 갖추고 SWE-Bench 등 주요 벤치마크에서 Claude Opus 4.7을 능가하는 성능을 보여줬다.