TRUST LAYER FOR AI AGENTS

SAFE PRODUCTIONCHANGES FORAI AGENTS

Keycli sits between agent intent and production mutation: turning risky infra changes into structured plans, policy checks, approvals, provider-backed execution, and audit trails.

Request intro Design partner fit See the product flow

LIVE WHEN CONNECTEDAPPROVAL AWAREAUDIT FIRST

Works across provider surfaces like Vercel, GitHub Actions, and Render — without giving agents prod god mode.

CONTROL PLANE :: LIVE / GOVERNED

intentrotate STRIPE_SECRET across vercel + github-actions and deploy

riskhigh / approval_required

executionprovider-api when connected / simulated when not

providersvercel :: github-actions :: render

INTENT→PLAN→POLICY→APPROVAL→APPLY→AUDIT

WHY NOW

Agents are getting powerful faster than production workflows are getting safe

Today, agents can write code, open PRs, and drift toward deploys, config updates, and secret mutation. The operational workflow behind those actions is still fragmented.

Fragmented provider CLIs

Every provider has different mutation rules, different APIs, and different edge cases.

Scattered approvals

Humans approve changes in whatever system happens to be nearby, with weak shared context.

Brittle secret rotation

Cross-provider key changes are easy to get half-right and hard to prove after the fact.

Disconnected deploy workflows

Config changes and deploy triggers rarely feel like one governed operation.

Thin auditability

Teams can see that something happened, but not always who approved what and why.

Agent over-permissioning

Without a trust layer, agents are either underpowered or handed broad production authority.

CONTROL PLANE FLOW

One control plane between agents and production

Instead of letting agents mutate infrastructure directly, Keycli gives them a constrained path with explicit state at every step.

REQUEST

Intent

The agent expresses the change it wants, not arbitrary shell access.

STRUCTURED

Plan

Keycli turns intent into a structured change plan with real targets and diff context.

CHECKED

Policy

Risk and readiness are evaluated before the system acts like a mutation is safe.

REQUIRED

Approval

Humans approve when the plan crosses the threshold for governed live change.

SCOPED

Apply

Execution runs through provider adapters, not direct agent access to production.

RECORDED

Audit

The resulting run, approvals, and outcomes land in one audit trail.

FIRST WEDGE

Safe config and secret changes across real providers

The first useful wedge is not “AI does everything.” It is governed config and secret mutation across real provider surfaces.

Rotate a shared secret across Vercel + GitHub Actions

Plan one change, inspect provider targets, require approval when needed, then apply through connected adapters.

MULTI-PROVIDERHIGH SIGNALAUDITED

Update preview env vars safely

Handle low-risk preview changes through a consistent flow instead of ad-hoc provider commands.

LOW RISKVERCEL READYFAST LOOP

Approve in GitHub, inspect the run in Keycli

Use GitHub comment approval capture for the current narrow wedge, then inspect the resulting plan and audit trail.

GITHUB FLOWCURRENT WEDGETRUTHFUL

POSITIONING

Not a vault. Not a wrapper. A trust layer.

Keycli is better understood as agent-safe production change orchestration than as one more dashboard around secrets.

NO / WRONG FRAME

Not another secret manager

The product is about governing live changes, approvals, and execution — not selling static storage alone.

NO / WRONG FRAME

Not a wrapper around provider CLIs

The value is consistent plan, policy, approval, apply, and audit semantics across providers.

YES / TRUST LAYER

Built for agent-native workflows

Plans, next actions, approval gates, scoped execution, and auditability are designed around AI-assisted operations.

TECHNICAL PROOF

Already grounded in a real wedge

This landing stays tight to the product truth today: a hosted control plane with real provider execution when the right connections exist.

+Hosted control plane with plans, approvals, runs, and audit.
+Live provider execution for Vercel, GitHub Actions, and Render when properly connected.
+Mixed-provider execution on supported targets.
+GitHub-native approval capture for the current comment-based workflow.
+Scoped provider connections plus apply-time rechecks before live mutation.

Current product status: strong technical wedge, still early, and not pretending broad coverage that does not exist yet.

REALISTIC SHAPEplan-response.json

{
  "intent": "rotate STRIPE_SECRET across Vercel + GitHub Actions and deploy",
  "risk": "high",
  "nextAction": "approval_required",
  "execution": "provider-api | simulated when unsupported",
  "providers": ["vercel", "github-actions"],
  "audit": "plan -> approval -> apply -> run log"
}

PRICING LOGIC

Priced for governed production control — not seats

Keycli should be priced around protected production targets and governed live changes, because the value is safe execution, approval, and audit — not seat count.

EARLY ACCESS

Team

For AI-native teams starting to put a trust layer in front of real provider changes.

Base platform fee
Includes protected targets
Includes governed live changes

SCALING

Growth

For teams coordinating more providers, environments, and approval paths as agent usage grows.

More targets and change volume
More approval workflow depth
Deeper multi-provider control

CUSTOM

Enterprise

For private deployment, deeper policy requirements, and compliance-heavy environments.

Private deployment options
Custom policy and controls
Higher-touch rollout support

DESIGN PARTNERS

We’re looking for AI-native teams to shape the product with us

If your team is already letting agents touch code, deploys, configs, or secrets, Keycli is being built for exactly that transition point.

You already use coding agents in real engineering workflows.
You care about approval, audit, and production trust more than novelty demos.
You are comfortable shaping an early control-plane product with direct feedback.

Capture needs routing before launch

What happens next

Founder-led and manual on purpose: the goal here is qualified conversations, not fake self-serve. Tell us the workflow you want to govern and we will reply with the right next step.

We read every request manually.
If the workflow fit is strong, we follow up with a focused intro call or async thread.
We keep the pilot narrow and honest rather than forcing a broad onboarding story too early.

FAQ

What teams will ask first

What is Keycli?

Keycli is a trust layer between AI agents and production systems. It turns intent into plans, runs policy and approval checks, applies through provider adapters, and records the outcome.

Is this a secret manager?

No. Secret and config changes are part of the wedge, but the product is about governed production change orchestration rather than static secret storage.

Which providers are supported today?

The current live provider wedge covers Vercel, GitHub Actions, and Render when the right provider connections exist.

Can agents apply changes directly?

They can request changes through Keycli. Risky plans still require approval, and execution is constrained through provider adapters rather than direct prod access.

How do approvals work right now?

The current narrow GitHub-native wedge uses comment-based approval capture, while the hosted control plane also exposes explicit approval endpoints.

DOCS HUB

Use this page to see what is already real, what to run next, and where the truth lives in-repo.

The marketing app now has a proper docs hub instead of a dead-end bridge. It summarizes the real product wedge, points to the canonical demos, and keeps the source-of-truth files visible so the site does not drift.

Real today

Hosted API with plans, approvals, runs, audit, and scoped auth.
Live Vercel, GitHub Actions, and Render mutation when valid provider connections exist.
Mixed-provider execution when every target has supported live adapters.
GitHub comment approval capture for the current narrow workflow.

Still early

Full GitHub App install flow and richer PR-native UX.
Deeper policy and permissioning beyond current scope/recheck guardrails.
Rollback and drift detection after apply.

Start with the product thesis

If you need the sharpest explanation of what Keycli is and is not, start here before touching marketing copy or roadmap language.

Trust layer between agents and production
Normalized plan → policy → approval → apply → audit model

docs/PRODUCT.md

Run the honest demo path

Use the self-hosted control-plane demo first, then graduate to the preview-safe live Vercel flow once you want proof of real mutation.

demo:hosted:self for the trust model
demo:vercel:preview for the live provider wedge

docs/DEMO.md

Configure live providers

Provider docs stay explicit about what is live, what is scoped, and what still falls back to simulation.

Vercel preview-safe mutation guide
GitHub and Render setup notes for the current supported wedge

docs/VERCEL.md + docs/GITHUB.md + docs/RENDER.md

Keep landing copy honest

The landing specs are still in the repo and remain the fastest way to check message hierarchy, design rules, and anti-drift constraints.

Overview, copy, wireframe, design system, and pricing notes
Use them to keep the site aligned with product truth

docs/landing/*

Useful commands

npm run landing:devnpm run landing:typechecknpm run landing:buildnpm run demo:hosted:self

Request intro Back to landing