q-ring
The first quantum-inspired keyring built specifically for AI coding agents.
<a href="https://glama.ai/mcp/servers/I4cTime/quantum_ring"> <img src="https://glama.ai/mcp/servers/I4cTime/quantum_ring/badges/card.svg" alt="quantum_ring MCP server" width="400" /> </a>Stop pasting API keys into plain-text .env files or wrestling with clunky secret managers. q-ring securely anchors your credentials to your OS's native vault (macOS Keychain, Linux Secret Service, Windows Credential Vault) and supercharges them with mechanics from quantum physics.
📖 View the Official Documentation for a complete CLI reference, MCP prompt cookbooks, and architecture details.
Why q-ring?
- Superposition: Store one key with multiple states (dev/staging/prod) that collapse based on context.
- Entanglement: Link keys across projects so rotating one automatically updates them all.
- Tunneling: Create ephemeral, in-memory secrets that self-destruct after a set time or read count.
- Teleportation: Securely pack and share AES-256-GCM encrypted secret bundles.
- Seamless AI Integration: 44 built-in MCP tools for native use in Cursor, Kiro, and Claude Code.
🚀 Installation
q-ring is designed to be installed globally so it's available anywhere in your terminal. Pick your favorite package manager:
# pnpm (recommended)
pnpm add -g @i4ctime/q-ring
# npm
npm install -g @i4ctime/q-ring
# yarn
yarn global add @i4ctime/q-ring
# Homebrew (macOS / Linux)
brew install i4ctime/tap/qring⚡ Quick Start
# 1️⃣ Store a secret (prompts securely if value is omitted)
qring set OPENAI_API_KEY sk-...
# 2️⃣ Retrieve it anytime
qring get OPENAI_API_KEY
# 3️⃣ List all keys (values are never shown)
qring list
# 4️⃣ Generate a cryptographic secret and save it
qring generate --format api-key --prefix "sk-" --save MY_KEY
# 5️⃣ Run a full health scan
qring healthQuantum Features
Superposition — One Key, Multiple Environments
A single secret can hold different values for dev, staging, and prod simultaneously. The correct value resolves based on your current context.
# Set environment-specific values
qring set API_KEY "sk-dev-123" --env dev
qring set API_KEY "sk-stg-456" --env staging
qring set API_KEY "sk-prod-789" --env prod
# Value resolves based on context
QRING_ENV=prod qring get API_KEY # → sk-prod-789
QRING_ENV=dev qring get API_KEY # → sk-dev-123
# Inspect the quantum state
qring inspect API_KEYWavefunction Collapse — Smart Environment Detection
q-ring auto-detects your environment without explicit flags. Resolution order:
--envflagQRING_ENVenvironment variableNODE_ENVenvironment variable- Git branch heuristics (
main/master→ prod,develop→ dev) .q-ring.jsonproject config- Default environment from the secret
# See what environment q-ring detects
qring env
# Project config (.q-ring.json)
echo '{"env": "staging", "branchMap": {"release/*": "staging"}}' > .q-ring.jsonQuantum Decay — Secrets with TTL
Secrets can have a time-to-live. Expired secrets are blocked from reads. Stale secrets (75%+ lifetime) trigger warnings.
# Set a secret that expires in 1 hour
qring set SESSION_TOKEN "tok-..." --ttl 3600
# Set with explicit expiry
qring set CERT_KEY "..." --expires "2026-06-01T00:00:00Z"
# Health check shows decay status
qring healthObserver Effect — Audit Everything
Every secret read, write, and delete is logged with a tamper-evident hash chain. Access patterns are tracked for anomaly detection.
# View audit log
qring audit
qring audit --key OPENAI_KEY --limit 50
# Detect anomalies (burst access, unusual hours, chain tampering)
qring audit --anomalies
# Verify audit chain integrity
qring audit:verify
# Export audit log
qring audit:export --format json --since 2026-03-01
qring audit:export --format csv --output audit-report.csvQuantum Noise — Secret Generation
Generate cryptographically strong secrets in common formats.
qring generate # API key (default)
qring generate --format password -l 32 # Strong password
qring generate --format uuid # UUID v4
qring generate --format token # Base64url token
qring generate --format hex -l 64 # 64-byte hex
qring generate --format api-key --prefix "sk-live-" --save STRIPE_KEYEntanglement — Linked Secrets
Link secrets across projects. When you rotate one, all entangled copies update automatically.
# Entangle two secrets
qring entangle API_KEY API_KEY_BACKUP
# Now updating API_KEY also updates API_KEY_BACKUP
qring set API_KEY "new-value"
# Unlink entangled secrets
qring disentangle API_KEY API_KEY_BACKUPTunneling — Ephemeral Secrets
Create secrets that exist only in memory. They never touch disk. Optional TTL and max-read self-destruction.
# Create an ephemeral secret (returns tunnel ID)
qring tunnel create "temporary-token-xyz" --ttl 300 --max-reads 1
# Read it (self-destructs after this read)
qring tunnel read tun_abc123
# List active tunnels
qring tunnel listTeleportation — Encrypted Sharing
Pack secrets into AES-256-GCM encrypted bundles for secure transfer between machines. Keys are derived with PBKDF2-HMAC-SHA512 (210 000 iterations) from your passphrase; each bundle records its iteration count, so bundles produced by older versions still unpack.
# Pack secrets (prompts for passphrase)
qring teleport pack --keys "API_KEY,DB_PASS" > bundle.txt
# On another machine: unpack (prompts for passphrase)
cat bundle.txt | qring teleport unpack
# Preview without importing
qring teleport unpack <bundle> --dry-runImport — Bulk Secret Ingestion
Import secrets from .env files directly into q-ring. Supports standard dotenv syntax including comments, quoted values, and escape sequences. The CLI accepts either a file path or raw content; the import_dotenv MCP tool only accepts raw content (it never reads files from disk) so an agent can't coerce it into reading arbitrary local files.
# Import all secrets from a .env file
qring import .env
# Import to project scope, skipping existing keys
qring import .env --project --skip-existing
# Preview what would be imported
qring import .env --dry-runSelective Export
Export only the secrets you need using key names or tag filters.
# Export specific keys
qring export --keys "API_KEY,DB_PASS,REDIS_URL"
# Export by tag
qring export --tags "backend"
# Combine with format
qring export --keys "API_KEY,DB_PASS" --format jsonSecret Search and Filtering
Filter qring list output by tag, expiry state, or key pattern.
# Filter by tag
qring list --tag backend
# Show only expired secrets
qring list --expired
# Show only stale secrets (75%+ decay)
qring list --stale
# Glob pattern on key name
qring list --filter "API_*"Project Secret Manifest
Declare required secrets in .q-ring.json and validate project readiness with a single command.
# Validate project secrets against the manifest
qring check
# See which secrets are present, missing, expired, or stale
qring check --project-path /path/to/projectEnv File Sync
Generate a .env file from the project manifest, resolving each key from q-ring with environment-aware superposition collapse.
# Generate to stdout
qring env:generate
# Write to a file
qring env:generate --output .env
# Force a specific environment
qring env:generate --env staging --output .env.stagingSecret Liveness Validation
Test if a secret is actually valid with its target service. q-ring auto-detects the provider from key prefixes (sk- → OpenAI, ghp_ → GitHub, etc.) or accepts an explicit provider name.
# Validate a single secret
qring validate OPENAI_API_KEY
# Force a specific provider
qring validate SOME_KEY --provider stripe
# Validate all secrets with detectable providers
qring validate --all
# Only validate manifest-declared secrets
qring validate --all --manifest
# List available providers
qring validate --list-providersBuilt-in providers: OpenAI, Stripe, GitHub, AWS (format check), Generic HTTP.
Output:
✓ OPENAI_API_KEY valid (openai, 342ms)
✗ STRIPE_KEY invalid (stripe, 128ms) — API key has been revoked
⚠ AWS_ACCESS_KEY error (aws, 10002ms) — network timeout
○ DATABASE_URL unknown — no provider detectedHooks — Callbacks on Secret Change
Register webhooks, shell commands, or process signals that fire when secrets are created, updated, or deleted. Supports key matching, glob patterns, tag filtering, and scope constraints.
# Run a shell command when a secret changes
qring hook add --key DB_PASS --exec "docker restart app"
# POST to a webhook on any write/delete
qring hook add --key API_KEY --url "https://hooks.example.com/rotate"
# Trigger on all secrets tagged "backend"
qring hook add --tag backend --exec "pm2 restart all"
# Signal a process when DB secrets change
qring hook add --key-pattern "DB_*" --signal-target "node"
# List all hooks
qring hook list
# Remove a hook
qring hook remove <id>
# Enable/disable
qring hook enable <id>
qring hook disable <id>
# Dry-run test a hook
qring hook test <id>Hooks are fire-and-forget: a failing hook never blocks secret operations. The hook registry is stored at ~/.config/q-ring/hooks.json.
SSRF protection: HTTP hook URLs targeting private/loopback IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, ::1, fc00::/7) are blocked by default. DNS is checked up front and re-validated at connect time, so a hostname can't pass the check then rebind to a private address before the socket opens. To allow hooks targeting local services (e.g. during development), set the environment variable Q_RING_ALLOW_PRIVATE_HOOKS=1.
Configurable Rotation
Set a rotation format per secret so the agent auto-rotates with the correct value shape.
# Store a secret with rotation format metadata
qring set STRIPE_KEY "sk-..." --rotation-format api-key --rotation-prefix "sk-"
# Store a password with password rotation format
qring set DB_PASS "..." --rotation-format passwordSecure Execution & Auto-Redaction
Run commands with secrets securely injected into the environment. All known secret values are automatically redacted from stdout and stderr to prevent leaking into terminal logs or agent transcripts. Exec profiles restrict which commands may be run.
# Execute a deployment script with secrets injected
qring exec -- npm run deploy
# Inject only specific tags
qring exec --tags backend -- node server.js
# Run with a restricted profile (blocks curl/wget/ssh, 30s timeout)
qring exec --profile restricted -- npm testCodebase Secret Scanner
Migrating a legacy codebase? Quickly scan directories for hardcoded credentials using regex heuristics and Shannon entropy analysis.
# Scan current directory
qring scan .Output:
✗ src/db/connection.js:12
Key: DB_PASSWORD
Entropy: 4.23
Context: const DB_PASSWORD = "..."Composite / Templated Sec
…