rotate-cli, agent-first secrets rotation

evidence

1,516 environment variables. One command.

The April 2026 Vercel incident left one of us staring at 1,516 env vars flagged Need to Rotate across 467 projects. rotate-cli exists because rotating them by hand was a bad afternoon that nobody should repeat.

22

adapters

3

consumers

0

servers

MIT

license

quick start

Rotate a breach scope in four lines.

Describe what you rotate, point rotate at an incident file, and let the grace period keep production alive while consumers redeploy.

# 1. describe the secrets and their consumers
$ rotate init

# 2. see the plan, no mutation
$ rotate plan --tag production

# 3. respond to an incident
$ rotate incident .rotate/incidents/vercel-apr-2026.yaml \
    --yes --reason "vendor breach response"

# 4. close the rotation once deploys are healthy
$ rotate revoke rot_abc123

no dashboard · no lock-in · one config file in your repo

providers

22 adapters. Every one hits the public API.

No SDK bloat. Each adapter is a single file implementing create / verify / revoke against the provider's documented REST surface. Dashboard-only providers (Firecrawl, Trigger.dev, Uploadthing, Vercel Blob) use manual-assist mode: the CLI pauses, you paste a new value from the provider UI, and rotate-cli still handles propagation, verification, and grace.

auth

clerk

CLERK_SECRET_KEY, webhook

ai

openai

admin keys via /v1/organization

ai

anthropic

admin API keys

email

resend

RESEND_API_KEY

db

supabase

service role, anon, jwt

db

neon

project API keys

db

neon-connection

DATABASE_URL / POSTGRES_*

ci

github-token

installation tokens

infra

vercel-token

VERCEL_TOKEN

ai

ai-gateway

AI_GATEWAY_API_KEY

cache

upstash

Redis / Vector REST tokens

billing

polar

OAT + webhook secrets

ai

fal

FAL_API_KEY

ai

elevenlabs

service-account keys

db

turso

TURSO_AUTH_TOKEN + DATABASE_URL

ai

exa

EXA_API_KEY

manual files

uploadthing

UPLOADTHING_TOKEN

manual files

vercel-blob

BLOB_READ_WRITE_TOKEN

manual jobs

trigger-dev

TRIGGER_SECRET_KEY

manual scrape

firecrawl

FIRECRAWL_API_KEY

no-check cache

vercel-kv

legacy KV_* (alias)

no-check app

local-random

SESSION / JWT / HMAC

consumers

vercel-env

Vercel project env vars + redeploy

github-actions

repo/org secrets (sealed-box)

local-env

.env files (atomic write)

agent mode

Guardrails designed for Claude Code & Codex.

Set ROTATE_CLI_AGENT_MODE=1. The CLI refuses to rotate without a --reason that lands in the audit log, a hard cap on blast radius, and an append-only JSONL trail. Revoking the old secret always takes an explicit --force-revoke, agents can rotate eagerly and revoke conservatively.

$ ROTATE_CLI_AGENT_MODE=1 rotate apply openai-prod \
    --reason "vercel breach response 2026-04-19" \
    --max-rotations 1 \
    --audit-log ~/.kai/audit/rotate-$(date +%F).jsonl \
    --yes

--reason required, ≥5 chars, lands in audit log
Rate limit, max 1 rotation / minute / machine
Consumer cap, max 50 per rotation
--no-verify forbidden, never skip verify in agent mode
--audit-log required, append-only JSONL
--force-revoke, invalidate old secret explicitly

design

Local-first is not a feature. It's the point.

rotate-cli has no servers. No SaaS dashboard. It does not phone home. It borrows auth tokens from CLIs you already have installed (vercel, gh, clerk) or from env vars you provide.

A centralized rotation service is itself a breach target, the exact pattern that caused the Vercel incident. rotate-cli holds no keys between runs, only the plan. When you are done rotating, there is nothing for an attacker to steal except your own machine.

rotate keys, not trust.

Agent-first secrets rotation. Local-first. Zero servers.