Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Keycard – inject API keys into subprocesses, never touch shell env(keycard.studio)
26 points by jijane 3 days ago | 20 comments
na4ma4 3 days ago | parent | next [-]

For dev-first environments, I just wrote a simple wrapper for 1password <https://github.com/na4ma4/1password-direnv-tool>, although I found their application SDK to be quite broken (will stop working after a few hours for no idea why), I didn't write it for anyone other than me, so it works fine for my use case :).

I find it super easy to just make a document, and enter key-val details as attributes.

jauco 3 days ago | parent [-]

Why not use the op cli? It seems to do the same thing?

mrorigo 2 days ago | parent | prev | next [-]

It literally takes 20 minutes to hack this together with an agent and tell it to 'create a stunning landing page'..

https://mrorigo.github.io/envkey/

serious_angel 3 days ago | parent | prev | next [-]

Thank you! Hurray! A yet another brand new credentials "local-first" cloud with very transparent and intuitive brand name, that is going to be "responsible" for "decades" (hopefully years) of storing and maintaining someone's credentials with undisclosed infrastructure, legal terms in cases of the credentials leaked during a bug (e.g. at E2EE/secure channel session), and no actual comparison stated between the current competitors, including DotEnv cloud service, BitWarden, 1Password, KeePass-based etc.!

No, sorry, I, nor anyone I know, would trust credentials to any organization with so little transparency and lack of guarantees, also considering audited alternatives.

Oh, and indeed, where is the key card? Is it in an ASCII art somewhere in documentation?

The design is nice, however, but... may I ask, how much non-AI work was done, if any?

jijane 3 hours ago | parent [-]

[dead]

Wicher 3 days ago | parent | prev | next [-]

I couldn't find the technique used above the fold (or a short way below).

Is this something more (and something more interesting) than just standard spawned process inheriting the parent process environment?

IOW is this actually injecting in the true sense of the word? Because that'd be interesting.

zemo 3 days ago | parent [-]

Reads like it’s not copying the parent, it’s manually constructing the env dictionary to be passed to execve explicitly. I do this in one of my tools at work because developers were exfiltrating secrets and hand jamming them into .env files.

Wicher 3 days ago | parent | next [-]

Yeah, so, it's not injecting? To inject something into X, X needs to exist. X does not exist yet when execve is set up.

I'm not being pedantic. I just want to read about injection when I'm promised injection :-) because that'd be technically interesting for me. Plainly calling execve isn't so much, I have the manpage here already :-)

chrismarlow9 3 days ago | parent | next [-]

You're not alone. I was hoping for the same.

jijane 3 hours ago | parent | prev [-]

[dead]

TZubiri 2 days ago | parent | prev [-]

Something tells me that if I look, I'll see a .env being used in the actual tool

evanelias 2 days ago | parent | prev | next [-]

I assume other processes running as the same user can still freely read the environment, for example using `ps -Eww` on Mac or inspecting /proc on Linux, right? If so, that's an easy way for a rogue process to bypass the local encrypted vault entirely.

Arrowmaster 2 days ago | parent [-]

Yes. Every clone of this idea does the same thing and a new one pops up every week. When I try to point out that the secrets should be exposed through file namespaces instead of ENV vars, the amount of hostility is shocking.

zemo 3 days ago | parent | prev | next [-]

> Password manager > No CLI injection.

reminds me of the 1password cli:

https://developer.1password.com/docs/cli/reference/commands/...

TZubiri 2 days ago | parent | prev | next [-]

This reminds me of the time a trainee dev was doing some work on a security module to hide the IP of the server. Just spending energy on a non threat.

jijane 3 hours ago | parent [-]

[dead]

cr125rider 3 days ago | parent | prev | next [-]

Every LLM site looks like Vercel which is such a shame.

absoluteunit1 3 days ago | parent | prev | next [-]

Is this similar to what Infisical does?

jijane 3 hours ago | parent | prev | next [-]

[dead]

jijane 3 days ago | parent | prev [-]

[dead]