Skip to content

Document credential piping use case in README #22

Open
Open
Document credential piping use case in README#22
Labels
documentationImprovements or additions to documentationsecuritySecurity, encryption, and data protection
@djdarcy

Description

@djdarcy
djdarcy
opened on Feb 18, 2026

Document credential piping use case in README

Problem

teeclip's encrypted clipboard history creates a natural mechanism for securely passing credentials to CLI tools — but this isn't documented anywhere. Users who discover teeclip see a "tee for clipboard" tool and don't realize it solves a real security problem they face daily: how to get secrets into CLI programs without exposing them to bash_history, ps aux, environment variable leaks, or on-screen visibility.

Proposed solution

Add a "Secure credential piping" section to the README that:

  1. Shows the traditional exposure vectors (environment variables, command-line args, config files, etc.)
  2. Demonstrates the teeclip workflow for passing credentials via pipe
  3. Positions teeclip honestly — not as a credential manager replacement, but as a tool whose encryption happens to solve this problem with zero additional setup

Content outline

### Secure credential piping

Your clipboard is already how you move secrets around. teeclip just makes
that encrypted and recallable.

Traditional methods of passing secrets to CLI tools all have exposure surfaces:

| Method | Risk |
|--------|------|
| `--key=SECRET` | Visible in `ps aux`, `bash_history` |
| `KEY=SECRET cmd` | Leaked via `/proc/PID/environ`, inherited by children |
| `.env` / config file | Persists on disk, can be committed to git |
| Interactive prompt | Requires TTY, breaks pipe workflows |

With teeclip, secrets flow through pipes — never touching shell history
or process arguments:

    # Copy API key from password manager (your normal flow)
    # Key is now encrypted in teeclip history

    # Pass to a tool — bash_history only shows the command, not the key:
    teeclip --paste | deploy-tool --key-stdin

    # Recall it later without returning to the password manager:
    teeclip --get 3 | deploy-tool --key-stdin

teeclip isn't a credential manager — it's a clipboard tool with AES-256-GCM
encryption at rest. But for developers who already copy-paste secrets,
it provides encrypted storage and pipe-native retrieval for free.

Acceptance criteria

  • README includes a "Secure credential piping" section
  • Section shows traditional exposure vectors
  • Section demonstrates the teeclip pipe workflow
  • Section is honest about what teeclip is and isn't
  • Section appears after the core usage examples (not in the opening — the tool's primary identity is still a clipboard tee)

Related issues

Analysis

See notes/ideas/2026-02-18__09-18-22__both_secure-credential-piping-via-clipboard.md for the full analysis including comparison with purpose-built credential managers (pass, 1Password CLI, HashiCorp Vault, etc.).

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationsecuritySecurity, encryption, and data protection

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions