Secrets Management

Red Station includes a secure, local secrets manager to handle API keys and credentials required by Agents and MCP servers.

Security Architecture

• Encryption: Secrets are stored encrypted at rest in ~/.pilot/secrets.yaml.
• Injection: Secrets are injected into MCP servers or Agent env vars at runtime.
• Masking: Values are masked in logs and outputs.

CLI Commands

# List stored secrets (values are hidden)
pilot secrets list

# Set a new secret (interactive prompt)
pilot secrets set OPENAI_API_KEY

# Delete a secret
pilot secrets delete OLD_TOKEN

# Import secrets from current ENV
pilot secrets import-env --prefix PILOT_

Usage in Config

Reference secrets in your YAML configuration using the ${secrets.NAME} syntax:

model:
  provider: openai
  api_key: ${secrets.OPENAI_API_KEY}