rotate-cli — agent-first secrets rotation

Agent-first secrets rotation. Local-first. Zero servers.

rotate-cli is the first secrets rotation tool built for the AI-native stack. Your master credentials never leave your machine — borrowed from CLIs you already trust. Agents can rotate safely with hard guardrails.

built after the Vercel breach · april 2026

Rotate a breach scope in four lines.

Describe what you rotate, point rotate at an incident file, and let the grace period keep production alive while consumers redeploy.

# 1. describe the secrets and their consumers $ rotate init # 2. see the plan — no mutation $ rotate plan --tag production # 3. respond to an incident $ rotate incident .rotate/incidents/vercel-apr-2026.yaml \ --yes --reason "vendor breach response" # 4. close the rotation once deploys are healthy $ rotate revoke rot_abc123

no dashboard · no lock-in · one config file in your repo

providers · v0.1

17 adapters. Every one golpea la API publica.

No SDK bloat. Each adapter is a single file implementing create / verify / revoke against the provider's documented REST surface. Providers without a rotation API land in v0.2 via human-in-the-loop adapters.

clerk

auth

CLERK_SECRET_KEY, webhook

openai

admin keys via /v1/organization

anthropic

admin API keys

resend

RESEND_API_KEY

supabase

service role, anon, jwt

neon

project API keys

neon-connection

DATABASE_URL / POSTGRES_*

github-token

installation tokens

vercel-token

infra

VERCEL_TOKEN

ai-gateway

AI_GATEWAY_API_KEY

upstash

cache

Redis / Vector REST tokens

vercel-kv

cache

legacy KV_* (alias)

polar

billing

OAT + webhook secrets

fal

FAL_API_KEY

elevenlabs

service-account keys

turso

TURSO_AUTH_TOKEN + DATABASE_URL

local-random

app

SESSION / JWT / HMAC

consumers

vercel-env

Vercel project env vars + redeploy

github-actions

repo/org secrets (sealed-box)

local-env

.env files (atomic write)

Guardrails designed for Claude Code & Codex.

Set ROTATE_CLI_AGENT_MODE=1. The CLI refuses to rotate without a --reason that lands in the audit log, a hard cap on blast radius, and an append-only JSONL trail. Revoking the old secret always takes an explicit --force-revoke — agents can rotate eagerly and revoke conservatively.

$ ROTATE_CLI_AGENT_MODE=1 rotate apply openai-prod \ --reason "vercel breach response 2026-04-19" \ --max-rotations 1 \ --audit-log ~/.kai/audit/rotate-$(date +%F).jsonl \ --yes

--reason required — ≥5 chars, lands in audit log

Rate limit — max 1 rotation / minute / machine

Consumer cap — max 50 per rotation

--no-verify forbidden — never skip verify in agent mode

--audit-log required — append-only JSONL

--force-revoke — invalidate old secret explicitly

Local-first is not a feature. It's the point.

rotate-cli has no servers. No SaaS dashboard. It does not phone home. It borrows auth tokens from CLIs you already have installed (vercel, gh, clerk) or from env vars you provide.

A centralized rotation service is itself a breach target — the exact pattern that caused the Vercel incident. rotate-cli holds no keys between runs, only the plan. When you are done rotating, there is nothing for an attacker to steal except your own machine.

rotate keys, not trust.