Local-first API credential vault and runtime injection for developers.
Store once. Inject at runtime. Never expose.
This prototype implements the core CLI workflow:
- Store API keys in macOS Keychain.
- Group keys into local project profiles.
- Inject profile keys into a child process environment.
- Mask values in debug output.
- Sync profile values to GitHub Actions Secrets through the GitHub CLI.
No cloud backend or login is required.
npm install
npm linkThe checked-in bin/famtec.js can also be run directly:
node bin/famtec.js helpfamtec add together
famtec add deepseek
famtec profile create openclaw
famtec profile attach openclaw together
famtec profile attach openclaw deepseek
famtec import-env .env --profile openclaw
famtec list
famtec run openclaw -- npm run devThe -- delimiter is recommended because it makes the boundary between Keytec/FAMTEC arguments and your application command explicit. famtec run my-app npm run dev is also accepted for quick use.
Provider names are normalized to environment variable names. For example:
openaibecomesOPENAI_API_KEYanthropicbecomesANTHROPIC_API_KEYtogetherbecomesTOGETHER_API_KEYdeepseekbecomesDEEPSEEK_API_KEYGITHUB_TOKENstaysGITHUB_TOKEN
famtec list reports token handles attached to local profiles. It does not enumerate the macOS Keychain.
famtec add <provider>
famtec get <provider>
famtec list
famtec remove <provider>
famtec profile create <name>
famtec profile attach <name> <provider>
famtec profile list
famtec run <profile> -- <command>
famtec env <profile>
famtec import-env <file> [--profile <name>] [--all]
famtec github connect
famtec github sync <profile> owner/repofamtec get and famtec env mask values by default. Use famtec get <provider> --show only when you intentionally need to reveal a secret.
Avoid passing secrets directly as shell arguments. Interactive prompts, stdin, and provider-native token rotation workflows are preferred because shell history lasts longer than anyone expects.
famtec import-env stores secret-like entries from a local .env file in macOS Keychain and can attach them to a profile in one pass. By default it imports names ending in _API_KEY, _PRIVATE_KEY, _SECRET, _TOKEN, or _PASSWORD; use --all only when every KEY=value entry in the file should be treated as sensitive.
Secrets are stored with:
service: famtec
account: <ENV_VAR_NAME>
Profile metadata is stored in ~/.famtec/profiles.json. This file contains provider names only, never secret values.
Runtime injection uses child_process.spawn with an augmented environment for the child process. Secret references are deleted from the local environment object after the command exits.
GitHub sync requires the GitHub CLI:
brew install ghThen store a fine-grained token:
famtec github connect
famtec github sync my-app owner/repoThe token should have permission to write repository Actions secrets.
Build the dockable macOS browser wrapper with:
./scripts/build_macos_browser_app.sh "/Users/robgraham/Desktop/APPS/Keytec API Wallet"The app name is taken from the destination folder. For example, building into /Users/robgraham/Desktop/APPS/Keytec API Wallet creates Keytec API Wallet.app, starts a localhost-only dashboard, and opens it in a Chrome app window.
See KEYTEC_API_WALLET_BUILD.md for the complete prototype build notes, security model, app wrapper details, and verification commands.
OpenClaw support and onboarding systems must not access vault contents, call Keychain APIs, or receive raw environment values. Only sanitized CLI errors, usage events, and documentation content are allowed.
Copyright (c) 2026 Rob Graham. All rights reserved.
This repository is published for authorship, visibility, and evaluation purposes only. No permission is granted to use, copy, modify, distribute, sublicense, sell, or create derivative works from this code, documentation, screenshots, or associated materials without prior written permission from Rob Graham.
Website: fineartmedia.tech
Contact: rob@fineartmedia.tech