Kontext CLI: Stop Giving Your Agent the Keys to the Kingdom
Here is the dirty secret of coding agents in 2026: most of them run with your long-lived API keys sitting in plaintext .env files. Your GitHub token, your Stripe key, your database credentials -- all accessible to an agent that might hallucinate a curl command to the wrong endpoint. Kontext CLI fixes this with a dead simple approach: ephemeral credentials that die when your session ends.
You declare what your project needs in a .env.kontext file. Run kontext start, and the CLI authenticates you via OIDC, exchanges placeholders for short-lived scoped tokens via RFC 8693 token exchange, launches your agent with those credentials injected, and streams every tool call to a dashboard for audit. When the session ends, the tokens expire automatically. No long-lived secrets ever touch the agent process.
The implementation is a single Go binary -- no daemon, no runtime dependencies. A lightweight sidecar process communicates over Unix socket, and hook handlers normalize events without capturing LLM reasoning or conversation history. The governance angle is real: every tool call is logged, every secret is accounted for, but the agent privacy boundary is respected.
At 90 stars and MIT licensed, Kontext is early but the problem it solves is universal. If you have ever worried about what happens when a coding agent runs rm -rf with your AWS credentials loaded, this is the tool you have been waiting for.
https://github.com/kontext-security/kontext-cli
← Back to all articles
You declare what your project needs in a .env.kontext file. Run kontext start, and the CLI authenticates you via OIDC, exchanges placeholders for short-lived scoped tokens via RFC 8693 token exchange, launches your agent with those credentials injected, and streams every tool call to a dashboard for audit. When the session ends, the tokens expire automatically. No long-lived secrets ever touch the agent process.
The implementation is a single Go binary -- no daemon, no runtime dependencies. A lightweight sidecar process communicates over Unix socket, and hook handlers normalize events without capturing LLM reasoning or conversation history. The governance angle is real: every tool call is logged, every secret is accounted for, but the agent privacy boundary is respected.
At 90 stars and MIT licensed, Kontext is early but the problem it solves is universal. If you have ever worried about what happens when a coding agent runs rm -rf with your AWS credentials loaded, this is the tool you have been waiting for.
https://github.com/kontext-security/kontext-cli
Comments