TEKIMAX/Transcript Vault

How it works

Find, rotate, encrypt. The three-step loop that stops leaked AI-chat keys from sitting on disk.

Transcript Vault has one job: turn leaked API keys in your AI chat history from "still usable" into "rotated and saved in an encrypted vault."

The loop

   ┌─────────┐     ┌──────────┐     ┌──────────┐
   │  Find   │ ──▶ │  Rotate  │ ──▶ │ Encrypt  │
   └─────────┘     └──────────┘     └──────────┘
       ▲                                  │
       └──────────────────────────────────┘
                    re-scan

Find

The app reads transcript files from the assistant directories on your Mac. It looks for API-key patterns: provider prefixes (sk-, sk-ant-, AKIA, AIza, ghp_, xoxb-, eyJ for JWTs, etc.), private-key blocks (-----BEGIN ... PRIVATE KEY-----), and generic api_key = …, secret = …, token = …, password = … assignments where the value is long enough to look key-shaped.

For Google Antigravity specifically, the per-turn message JSONs hide the agent payload inside a base64-encoded protobuf field (stepPayload). The scanner decodes those, extracts the printable byte runs, and scans the result, so keys pasted into Antigravity are surfaced even though the JSON looks empty to a naive grep.

Every match is reported with file, line, the kind of secret detected, and a masked preview of the value (first 4 + last 4, fixed star count in the middle). The full string is never displayed in the UI.

Rotate

You rotate the key. The app does not call the provider, store credentials, or talk to anyone's API. We never want to be in the loop on your provider account.

For each finding, the typical flow is:

  1. Click the row to jump straight to that line in the transcript.
  2. Open the provider's dashboard (the app links you out when it recognizes the provider).
  3. Revoke the leaked key and issue a fresh one.
  4. Update wherever the new key needs to live.
  5. Come back to Transcript Vault and mark the finding Rotated.

A rotated finding still keeps a record so you can prove later that the specific exposed key is no longer usable.

Encrypt

Once everything in a transcript has been dealt with, you click Encrypt. The transcript is encrypted with age (X25519) and saved into the local vault.

Deleting the leftover plain-text original is offered as an explicit second step. The encryption itself is what protects the secret; removing the original is just so a stale copy can't sit there for a backup tool or sync agent to pick up.

The vault key lives in the macOS login Keychain and unlocks automatically when you log in. You don't enter a separate password.

Live watching

A background watcher runs by default (no Pro required). It observes your transcript folders and re-scans whenever Claude Code, Codex, Gemini CLI, or Antigravity writes new content. New conversations and new leaks surface in seconds, with no manual rescan needed.

The watcher is debounced and uses an mtime-keyed cache, so a stable transcript is a cheap hash lookup rather than a re-read. Only the currently-being-written file actually gets re-scanned each refresh burst.

Re-scanning manually

Click Scan any time to force a full re-sweep. Useful if you restored a transcript from a backup or pointed the app at a new location.

What does NOT happen

  • The app does not upload transcripts.
  • The app does not call any provider's API.
  • The app does not phone home with telemetry, analytics, or crash reports.
  • The app does not modify the assistant itself. Claude Code, Codex, Gemini CLI, and Antigravity keep working exactly as before.

Install & first scan

Download the signed .dmg, drag the app to Applications, and run your first scan in under two minutes.

Security & privacy

Local-only posture, age encryption, on-device AI, and the limits we are honest about.

On this page

The loopFindRotateEncryptLive watchingRe-scanning manuallyWhat does NOT happen