SecAPI: Secure, AI-Driven API Key Management & Leak Prevention

Binayak Jha — Sat, 30 May 2026 03:32:09 +0000

This is a submission for the GitHub Finish-Up-A-Thon Challenge

What I Built

SecAPI is a local-first, zero-trust CLI utility and key manager designed to make code security the easiest developer path.

Exposing secrets (like Stripe, OpenAI, or AWS keys) in repository files is one of the most common causes of credential leaks. Often, developers resort to plaintext .env files that can be accidentally staged and pushed, or struggle with complex vault set-ups.

SecAPI solves this with a seamless three-step command line workflow:

Scans codebases for exposed API keys using fast regex rules or advanced AI analysis.
Vaults secrets locally using strong AES-256 encryption derived via PBKDF2-HMAC (completely offline).
Replaces raw hardcoded strings in code with secure, runtime references (load_key("key_name"))—preserving variable names, indentation, and comments.

It can be installed globally or run natively as a GitHub CLI (gh) extension, bringing secure vault operations directly into standard Git workflows. It means we can keep our code secure, separate environments easily, and prevent pushes with unencrypted credentials—all without relying on cloud-based vault hosts.

Demo

Interactive Web Showcase: secapi.netlify.app
GitHub Repository: github.com/BinayakJha/SecAPI

The Scrolling CLI Showcase in Action

Check out the interactive scrollytelling page on secapi.netlify.app to see the simulator type out and execute the CLI commands (scanning, setting up vaults, applying smart code rewrites, checking the status board, running the git pre-commit hook, and installing/running the tool as a native GitHub CLI extension) in real-time as you scroll!

The Comeback Story

Where It Started

SecAPI was an abandoned CLI prototype. It was un-installable due to file packaging typos, suffered from weak vault security (a custom padding scheme instead of a standard key derivation function), had no recovery options if the master password was lost, and used a basic console print command to list keys. Furthermore, the AI scanner relied on outdated OpenAI package versions, creating environment conflicts.

What I Changed, Fixed, and Added

I gave the project a complete, ground-up overhaul to turn it into a premium, production-ready tool:

Packaging & Installation: Fixed filename bugs (removed a rogue leading space on configuration files) and created a one-command installer script (install.sh) that auto-detects pipx or pip to set up the CLI globally.
Vault Cryptography Upgrade: Replaced the weak padding scheme in secure.py with standard PBKDF2-HMAC (100,000 iterations of SHA-256) and a random salt to derive vault keys.
Emergency Mnemonic Recovery Key: Added an automatic 24-character recovery mnemonic during vault initialization. Users can safely reset their master password via secapi recover without losing stored secrets.
Automated Schema Migration: Implemented a helper that detects older flat JSON vaults and automatically migrates them to the new dual-encrypted schema upon execution.
Smart LHS-Preserving Fixer: Rewrote the replacement engine in fixer.py to target only the string literal (RHS) of leaked assignments, leaving variable names (LHS), indentation, and comments untouched.
Zero-Dependency Gemini 2.5 Flash Audit: Replaced the conflict-prone OpenAI module with a zero-dependency Gemini API client built using Python's standard urllib library. Implemented line-aware chunking to scan massive files without hitting token limits.
Git Pre-Commit Hook Integration: Built secapi init-hook to install an executable git hook. It scans staged changes in a non-interactive mode and blocks commits if unencrypted secrets are introduced.
ANSI TUI Dashboard: Upgraded the simple text listing to a responsive status board showing key names, ages in days, and colorful status badges (🟢 Active, 🟡 Rotate Soon, 🔴 Expired).
Multi-Environment Profiles: Support for dev, staging, and prod vaults via CLI flags (--env) and environment variables (SECAPI_ENV).
Testing: Wrote a complete test suite of 12 automated unit tests verifying cryptography, migrations, hook installations, and chunking, achieving 100% green status on pytest.
Native GitHub CLI (gh) Extension: Packaged SecAPI as an interpreted GitHub CLI extension. Implemented a self-bootstrapping script (gh-secapi) that isolates python dependencies in a local virtual environment upon installation, enabling developers to run gh secapi natively with zero global package conflicts.

My Experience with GitHub Copilot

GitHub Copilot was an invaluable partner in reviving this codebase:

Refactoring Cryptography: Copilot helped write clean, standard PBKDF2-HMAC and AES GCM code using the cryptography library, ensuring the migration path was mathematically sound and didn't lose any legacy keys.
Creating the Zero-Dependency Client: Writing standard library urllib.request code for multi-part JSON API calls can be verbose. Copilot sped up the creation of the Gemini client, making it clean and robust against empty API responses.
Web Design Iterations: Copilot generated the Vanilla CSS styling and the intersection observers for the scrolling landing page, giving the project a modern, glassmorphic layout that immediately captures attention.
Self-Bootstrapping CLI Extension: Copilot helped design a lightweight shell wrapper script that dynamically builds isolated python virtual environments inside the extension folder upon first run, preventing global environment pollution for users.

dev_to_username: binayak_jha

My Journey as an AI Intern at Xuno

Binayak Jha — Tue, 13 Aug 2024 14:33:35 +0000

Hey everyone! I am Binayak Jha, currently a rising sophomore at Franklin & Marshall College, pursuing a double degree in Computer Science & Mathematics, with a minor in Music. Originally from Nepal, I have spent the past year studying in the U.S., but this summer, I got the opportunity to return back to Nepal and work as an Artificial Intelligence (AI) Intern at Xuno, and it was really a transformative experience for me!

Why Xuno?

Choosing to intern at Xuno was a decision driven by both personal and professional motivations. As someone deeply connected to Nepal, having grown up immersed in its rich culture and traditions, getting a chance to work in my own country was not just a professional journey but also a personal journey. It allowed me to reconnect with my roots, spend time with my family, and immerse myself once again in the vibrant life of Kathmandu.

Nepal's tech scene is evolving rapidly, and Xuno is at the forefront of this transformation. With a focus on innovative solutions to real-world challenges, particularly in the fintech domain, Xuno's mission—“Driven by the mission of shepherding the world into an equitable and borderless economy”—resonated deeply with me. The company’s emphasis on using AI to solve complex problems in a developing country like Nepal aligned perfectly with my passion for leveraging technology to create tangible impacts.

Personal Connection with my work

One of the most compelling reasons I chose to intern at Xuno was their commitment to solving the challenges of cross-border payments. Having experienced firsthand the difficulties my family and I faced with international money transfers, working on a solution to this issue felt deeply personal and meaningful. The opportunity to contribute to a project that directly addresses a problem affecting so many people in Nepal and around the world was incredibly fulfilling.

Diving into AI at Xuno

During my internship, I was particularly drawn to Xuno's innovative approach to integrating AI into their projects. This aligned perfectly with my academic interests and provided me with the opportunity to apply my own skills in a real-world context. I worked on projects such as USD to NPR exchange rate analysis and the development of Xuno Matrix, a new infrastructure project. The experience was both challenging and rewarding, as I worked with a talented team of professionals who brought over more than 10+ years of expertise in this field and shared a collective passion for making a difference.

Getting Transformative Experiences and Mentorship

The two months I spent at Xuno were nothing short of transformative. I honed my existing skills, acquired new ones, and gained invaluable insights into the tech and fintech industries within the context of a developing country. This experience not only increased my understanding of AI and its applications but also reinforced my commitment to using technology to drive positive change. Having been interested in the fintech field long before this internship, I was fortunate to have mentors like Bal Dai (Founder) and Rupesh Dai (COO). Their unique perspectives and guidance were instrumental in shaping my approach to problem-solving and innovation in this dynamic industry.

Looking Ahead

Interning at Xuno has been a great moment in my academic and professional journey. It has provided me with experiences that will undoubtedly shape my future career in data science and technology. I am immensely grateful for the opportunity to work with such an inspiring team and to contribute to a company that is making a significant impact in Nepal.

This experience has left me more committed than ever to using technology as a force for good, particularly in contexts where it can have a meaningful and lasting impact.

DEV Community: Binayak Jha