Every developer using Claude Code, Codex or Cursor has the same problem: your agent runs your code but it can also read your .env files. API keys, database credentials, anything on disk is visible to the agent.
I built keypo-signer, an open-source CLI that encrypts secrets in a vault backed by your Mac's Secure Enclave. The key command is vault exec: it decrypts secrets via Touch ID, injects them as environment variables into a child process, and the agent gets back stdout and an exit code. It never sees the secret values. They never touch disk, shell history, or the agent's context window.
It's open source and self-custody: no cloud provider, no accounts to maintain.
There are three vault tiers: open (no auth), passcode and biometric (Touch ID).
Two demos showing what you can build on top of this:
1. Secure Agent Checkout (https://github.com/keypo-us/keypo-cli/tree/main/demo/checkou...): Tell your agent "buy me a hat" and it completes a real Shopify checkout with your actual credit card. Card details live in the biometric vault. The agent calls a wrapper script, Touch ID pops up on your Mac, and a headless browser fills the payment form inside a child process the agent can't inspect. You get an order confirmation email. The agent never sees your card number.
2. Agent Wallet (https://github.com/keypo-us/keypo-cli/tree/main/demo/hermes-...): A hardware wallet for your agent. Uses EIP-7702 smart accounts with the Mac Secure Enclave so your agent can send on-chain transactions but the private key never leaves the hardware. Touch ID gates every signature.
macOS/Apple Silicon only (Secure Enclave is the point). Swift + Rust. brew install keypo-us/tap/keypo-signer
Every developer using Claude Code, Codex or Cursor has the same problem: your agent runs your code but it can also read your .env files. API keys, database credentials, anything on disk is visible to the agent.
I built keypo-signer, an open-source CLI that encrypts secrets in a vault backed by your Mac's Secure Enclave. The key command is vault exec: it decrypts secrets via Touch ID, injects them as environment variables into a child process, and the agent gets back stdout and an exit code. It never sees the secret values. They never touch disk, shell history, or the agent's context window.
See it in action: https://youtu.be/rOSyWQ3gw70
It's open source and self-custody: no cloud provider, no accounts to maintain.
There are three vault tiers: open (no auth), passcode and biometric (Touch ID).
Two demos showing what you can build on top of this:
1. Secure Agent Checkout (https://github.com/keypo-us/keypo-cli/tree/main/demo/checkou...): Tell your agent "buy me a hat" and it completes a real Shopify checkout with your actual credit card. Card details live in the biometric vault. The agent calls a wrapper script, Touch ID pops up on your Mac, and a headless browser fills the payment form inside a child process the agent can't inspect. You get an order confirmation email. The agent never sees your card number.
2. Agent Wallet (https://github.com/keypo-us/keypo-cli/tree/main/demo/hermes-...): A hardware wallet for your agent. Uses EIP-7702 smart accounts with the Mac Secure Enclave so your agent can send on-chain transactions but the private key never leaves the hardware. Touch ID gates every signature.
macOS/Apple Silicon only (Secure Enclave is the point). Swift + Rust. brew install keypo-us/tap/keypo-signer
https://github.com/keypo-us/keypo-cli