Show HN: Kontext CLI – Credential broker for AI coding agents in Go

Kontext-dev has launched Kontext CLI, an open-source command-line tool written in Go designed to bring enterprise-grade security to AI coding assistants. It directly addresses the risky practice of developers copying long-lived API keys for services like GitHub and Stripe into .env files. Instead, Kontext uses a declarative `.env.kontext` file as a template. When a developer runs `kontext start --agent claude`, the tool authenticates the user via OIDC, exchanges placeholders for short-lived tokens using the RFC 8693 standard, and launches the agent with these ephemeral credentials injected. The session is fully governed, with every PreToolUse, PostToolUse, and UserPromptSubmit event streamed to a central dashboard for audit.

The architecture is lightweight and secure by default. A native Go binary requires no local daemon and uses the system keyring for OIDC session storage. A sidecar process manages communication and heartbeats. Crucially, all credentials are scoped to the session and automatically expire when it ends, eliminating the risk of persistent, leaked keys. The tool currently supports Claude Code, with plans for Cursor and others. This approach allows teams to commit credential templates to repos without sharing secrets, providing a consistent, secure, and auditable workflow for AI-assisted development.