Local-first by default. Explicit where secrets move.

AlmightyGPT is built for developers who already use model providers directly and want the review trail without handing keys to a new proxy.

Provider keys

CLI keys live in the OS keychain. VS Code keys live in SecretStorage. Environment variables remain available for CI and one-off shells. Keys are not written into repo config files.

No default proxy

Normal CLI and editor use sends requests from your machine directly to OpenAI, Anthropic, or Google. AlmightyGPT does not require a hosted proxy backend.

Context boundary

`.almightyignore`, config excludes, and secret redaction run before provider calls. Markdown writes also check for unsafe overwrites.

Defense in depth

Ignore rules prevent known-sensitive files from entering context. Redaction is an additional guard, not an excuse to include secrets in project files.

Tested auth core

v0.10.1 added 56 Vitest tests covering resolver priority, keychain behavior, provider validation, timeout behavior, normalized errors, and key-redaction regressions. The next focused auth test gap is extension-level SecretStorage/env injection coverage.