hem

A CLI for agents to create, manage and use secrets. Encrypts secrets locally while giving agents discoverability and metadata on secrets. Works alongside existing .env.

Supports GitHub. The hem connect cloudflare and hem connect aws commands are still present, but Cloudflare and AWS are disabled for now.

Usage

Connect and add credentials

# Interactive: choose a connector or manual token
hem env add

# GitHub
hem connect github

# Manual
hem env add API_TOKEN

Use hem to run with secrets

hem bun dev

hem run refreshes expired provider credentials automatically before injecting them.

Env var labels

Manual env vars use the label you provide. Providers materialize credentials under fixed env var names:

Provider	Labels
github	`GITHUB_TOKEN`

Only one bundle per provider can be active at a time. hem env rm <label> removes the whole bundle that contains that label.

How scoping works

Permissions are not specified at the CLI layer. Scope comes from:

GitHub: repositories selected during GitHub App installation and permissions configured on the GitHub App

The .hem/secrets.json manifest records the provider binding so credentials can be refreshed on hem run.

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
packages		packages
.gitignore		.gitignore
AGENTS.md		AGENTS.md
CLAUDE.md		CLAUDE.md
README.md		README.md
bun.lock		bun.lock
oxfmt.config.ts		oxfmt.config.ts
oxlint.config.ts		oxlint.config.ts
package.json		package.json
tsconfig.json		tsconfig.json
turbo.json		turbo.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

hem

Usage

Env var labels

How scoping works

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

hem

Usage

Env var labels

How scoping works

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages