Home / Security

KeyLore is not magic, and it is not a claim that AI tools need no credentials. Its value is narrower and more defensible: it gives AI-assisted workflows a better credential boundary than plain environment files by separating secret storage from AI-visible metadata and using a brokered access model.

Principle 1

Separate knowledge from possession

An AI agent often needs to know that a credential exists and what it is for. It does not automatically need possession of the raw token.

Principle 2

Expose less by default

In a .env-based setup, every secret loaded into the process is potentially accessible to the model-facing environment. KeyLore aims to reduce that ambient exposure.

Principle 3

Prefer structured intent over naming conventions

Credential selection should not depend on reverse-engineering variable names. KeyLore uses metadata to express purpose and scope more clearly.

Why not .env?

Because .env solves distribution, not control.

Environment variables are process-wide. Any tool, shell, or agent can read and echo them, leaking through logs, stack traces, prompts, and copied configs. That is a weak default for agentic systems.

Deep dive

Why .env is the wrong default

A focused explanation of why environment files are a weak boundary for AI agents.

Threat model

MCP risk model

See the practical attack surface around prompt injection, confused deputy behavior, and overshared secrets.