Credential Sync
Synchronize credentials between your local Claude Code agent and its paired Trinity remote agent.
Overview
When working with paired agents (local + remote on Trinity), this skill handles credential synchronization:
Command Description
push
Push local credential files → remote agent
pull
Pull remote credentials → local (via encrypted file)
export
Create encrypted backup on remote
import
Restore from encrypted backup on remote
status
Check credential status on remote
Supported Credential Files
The skill auto-detects and syncs these credential files:
File Purpose Auto-detect
.env
Environment variables (KEY=VALUE) Yes
.mcp.json
MCP server configurations Yes
credentials.json
Service account keys Yes
config/secrets.yaml
YAML-based secrets Yes
*.pem , *.key
SSL/SSH keys Optional
Custom files Anything you specify Via --files
Usage
Basic usage (auto-detects credential files)
/credential-sync push [agent-name] # Push all credential files to remote /credential-sync pull [agent-name] # Pull remote creds to local /credential-sync export [agent-name] # Create encrypted backup /credential-sync import [agent-name] # Restore from backup /credential-sync status [agent-name] # Check remote status
Specify which files to sync
/credential-sync push my-agent --files=.env,.mcp.json /credential-sync push my-agent --files=.env,config/secrets.yaml,credentials.json
Sync everything matching a pattern
/credential-sync push my-agent --files=.env,.mcp.json,config/*.yaml
If agent-name is omitted, detect from:
-
template.yaml → name: field
-
Current directory name
-
AGENT_NAME environment variable
Phase 1: Agent Name & File Detection
Determine Agent Name
Try template.yaml first
AGENT_NAME=$(grep "^name:" template.yaml 2>/dev/null | cut -d: -f2 | tr -d ' "')
Fall back to directory name
if [ -z "$AGENT_NAME" ]; then AGENT_NAME=$(basename "$(pwd)") fi
echo "Target agent: $AGENT_NAME"
If agent name provided as argument, use that instead: $ARGUMENTS[1] or $1
Detect Credential Files
If --files not specified, auto-detect:
Standard credential files to check
CRED_FILES=""
.env - environment variables
[ -f ".env" ] && CRED_FILES="$CRED_FILES .env"
.mcp.json - MCP server config (may have secrets)
[ -f ".mcp.json" ] && CRED_FILES="$CRED_FILES .mcp.json"
credentials.json - service account keys
[ -f "credentials.json" ] && CRED_FILES="$CRED_FILES credentials.json"
config/secrets.yaml - common secrets location
[ -f "config/secrets.yaml" ] && CRED_FILES="$CRED_FILES config/secrets.yaml"
.credentials/ directory - credential folder
[ -d ".credentials" ] && CRED_FILES="$CRED_FILES $(ls .credentials/*)"
echo "Detected credential files: $CRED_FILES"
If --files specified, parse the comma-separated list.
Phase 2: Command Routing
Parse the command from $ARGUMENTS[0] or $0 :
Input Action
push
Execute Push Flow
pull
Execute Pull Flow
export
Execute Export Flow
import
Execute Import Flow
status
Execute Status Flow
(empty) Default to status
Flow: Push (Local → Remote)
Push local credential files to the remote Trinity agent.
Step 1: Collect Local Credential Files
Read each detected/specified credential file:
Build files dict for injection
FILES_TO_INJECT={}
for file in $CRED_FILES; do if [ -f "$file" ]; then content=$(cat "$file") echo "Reading: $file ($(wc -c < "$file") bytes)" # Add to FILES_TO_INJECT dict else echo "WARNING: $file not found, skipping" fi done
Example files dict structure:
{ ".env": "API_KEY=xxx\nSECRET=yyy", ".mcp.json": "{"mcpServers": {...}}", "config/secrets.yaml": "database:\n password: xxx" }
Step 2: Verify Remote Agent Exists
mcp__trinity__get_agent(name: "[agent-name]")
Check response:
-
If 404: "Agent not found on Trinity. Run /trinity-onboard first."
-
If not running: "Agent is stopped. Start it first or credentials won't persist."
Step 3: Inject All Files to Remote
mcp__trinity__inject_credentials( name: "[agent-name]", files: { ".env": "[content]", ".mcp.json": "[content]", "config/secrets.yaml": "[content]" } )
The files parameter accepts any file paths. Files are written relative to /home/developer/ in the agent container.
Step 4: Verify Injection
mcp__trinity__get_credential_status(name: "[agent-name]")
Step 5: Report
Credentials Pushed Successfully
Agent: [agent-name] Files injected:
- .env (124 bytes)
- .mcp.json (456 bytes)
- config/secrets.yaml (89 bytes)
Total: 3 files synced to remote agent.
Flow: Pull (Remote → Local)
Pull credentials from remote Trinity agent to local.
Note: This requires the encryption key to decrypt remote credentials.
Step 1: Get Encryption Key
mcp__trinity__get_credential_encryption_key()
Save the key for decryption.
Step 2: Export on Remote (creates .credentials.enc)
mcp__trinity__export_credentials(name: "[agent-name]")
Step 3: Download Encrypted File
The encrypted file is in the agent's workspace. To get it locally:
-
Use Trinity file download API, or
-
If agent has git sync, pull from repo
For now, inform user:
Pull Credentials
Encrypted backup created on remote: .credentials.enc
To get credentials locally:
Option A: Copy via file browser
- Visit your Trinity dashboard: ${TRINITY_URL}/agents/[agent-name]
- Go to Files tab
- Download .credentials.enc
- Run: /credential-sync decrypt
Option B: Git sync (if configured)
- Sync remote to GitHub
- git pull
- Decrypt .credentials.enc locally
Encryption key (save securely): [key from step 1]
Flow: Export (Create Encrypted Backup)
Create an encrypted backup of credentials on the remote agent.
Step 1: Call Export
mcp__trinity__export_credentials(name: "[agent-name]")
Step 2: Report
Encrypted Backup Created
Agent: [agent-name] File: .credentials.enc Files exported: [count]
The encrypted file can be safely committed to git. To restore: /credential-sync import [agent-name]
Flow: Import (Restore from Backup)
Restore credentials from encrypted .credentials.enc on the remote agent.
Step 1: Call Import
mcp__trinity__import_credentials(name: "[agent-name]")
Step 2: Verify
mcp__trinity__get_credential_status(name: "[agent-name]")
Step 3: Report
Credentials Restored
Agent: [agent-name] Files restored: [list] Credential count: [count]
Flow: Status
Check credential status on remote agent.
Step 1: Get Status
mcp__trinity__get_credential_status(name: "[agent-name]")
Step 2: Display
Credential Status: [agent-name]
| File | Exists | Size | Modified |
|---|---|---|---|
| .env | [yes/no] | [size] | [date] |
| .mcp.json | [yes/no] | [size] | [date] |
| .credentials.enc | [yes/no] | [size] | [date] |
Credential count: [count]
Local Encryption/Decryption
For offline work with encrypted credentials:
Encrypt Local Credentials
Save as encrypt_credentials.py
import json import os from base64 import b64encode from cryptography.hazmat.primitives.ciphers.aead import AESGCM
KEY = bytes.fromhex(os.environ['CREDENTIAL_ENCRYPTION_KEY']) files = {'.env': open('.env').read()} if os.path.exists('.mcp.json'): files['.mcp.json'] = open('.mcp.json').read()
nonce = os.urandom(12) aesgcm = AESGCM(KEY) plaintext = json.dumps(files).encode() ciphertext = aesgcm.encrypt(nonce, plaintext, None)
with open('.credentials.enc', 'wb') as f: f.write(nonce + ciphertext)
print(f'Encrypted {len(files)} files to .credentials.enc')
Decrypt Credentials
Save as decrypt_credentials.py
import json import os from cryptography.hazmat.primitives.ciphers.aead import AESGCM
KEY = bytes.fromhex(os.environ['CREDENTIAL_ENCRYPTION_KEY'])
with open('.credentials.enc', 'rb') as f: data = f.read()
nonce, ciphertext = data[:12], data[12:] aesgcm = AESGCM(KEY) plaintext = aesgcm.decrypt(nonce, ciphertext, None) files = json.loads(plaintext)
for filename, content in files.items(): with open(filename, 'w') as f: f.write(content) print(f'Wrote {filename}')
Error Handling
Error Resolution
Agent not found Run /trinity-onboard first to deploy agent
Agent not running Start agent via Trinity UI or MCP
No .env locally Create .env with required credentials
MCP tools unavailable Check Trinity MCP connection
Encryption key missing Get key via get_credential_encryption_key
Security Notes
-
Never commit .env - Use .credentials.enc for git storage
-
Protect encryption key - Store in password manager or secure env
-
Agent must be running - Credentials are written to container filesystem
-
Local .mcp.json - Consider syncing this too if MCP config differs
Examples
Push all detected credential files to remote
/credential-sync push my-agent
Push only .env
/credential-sync push my-agent --files=.env
Push .env and .mcp.json
/credential-sync push my-agent --files=.env,.mcp.json
Push custom credential files
/credential-sync push my-agent --files=.env,config/secrets.yaml,credentials.json
Push service account and config
/credential-sync push my-agent --files=service-account.json,config/database.yaml
Check what's on remote
/credential-sync status my-agent
Create encrypted backup (includes all credential files)
/credential-sync export my-agent
Restore from backup after agent restart
/credential-sync import my-agent
Auto-detect agent name from current directory
/credential-sync push
Related Skills
Skill Purpose
/trinity-onboard
Initial agent setup and Trinity adoption
/trinity-sync
Git-based code synchronization with remote
/trinity-remote
Remote agent operations (exec, run)
/trinity-schedules
Scheduled task management
Common Credential File Patterns
Standard .env pattern
/credential-sync push --files=.env
MCP configuration with secrets
/credential-sync push --files=.env,.mcp.json
Google Cloud service account
/credential-sync push --files=.env,service-account.json
AWS credentials
/credential-sync push --files=.env,.aws/credentials
Database config
/credential-sync push --files=.env,config/database.yaml
Full setup with all configs
/credential-sync push --files=.env,.mcp.json,config/secrets.yaml,credentials.json