Tighten README and Swift gitignore

Author: rodion-m

.gitignore

@@ -1,14 +1,57 @@
+# Swift Package Manager
 .build/
-.swiftpm/
-.DS_Store
-DerivedData/
+.swiftpm/configuration/
+.swiftpm/xcode/
+
+# Build and release artifacts
 build/
 dist/
+DerivedData/
+*.xcarchive
+*.dSYM/
+*.app/
+*.ipa
+*.pkg
+*.zip
+
+# Xcode user state
+*.xcuserstate
+*.xcscmblueprint
+*.mode1v3
+*.mode2v3
+*.pbxuser
+*.perspectivev3
+xcuserdata/
+
+# macOS filesystem noise
+.DS_Store
+.AppleDouble
+.LSOverride
+Icon?
+._*
+
+# Local editor and agent state
+.vscode/
+.idea/
+
+# Logs and temporary files
+*.log
+*.tmp
+*.swp
+*.swo
+
+# Local secrets, credentials, and signing material
 .env
 .env.*
 *.p12
 *.mobileprovision
-*.xcarchive
-*.log
+*.provisionprofile
+*.key
+*.pem
+*.crt
+*.cer
+*.der
+
+# Keep GitHub Actions workflow files tracked.
 !.github/**/*.yml
 !.github/**/*.yaml

AGENTS.md

@@ -8,9 +8,9 @@ Current release metadata: `0.1.0 alpha`. This is a pre-stable product; breaking
 
 ## Product Boundary
 
-Agentic Secrets is a macOS lower-leakage secret delivery system for developer machines.
+Agentic Secrets is a macOS runtime secret protection system for developer machines.
 
-It does not make execution safe. It makes delivery of secrets explicit, narrow, approved, bounded, auditable, and lower-leakage than `.env`, shell environment, MCP configs, or plaintext provider tokens.
+It does not make execution safe. It protects the secret delivery boundary by making runtime delivery explicit, narrow, approved, bounded, auditable, and fail-closed instead of leaving secrets in `.env`, shell environments, MCP configs, or plaintext provider token files.
 
 The default distribution model is open-source self-build with local ad-hoc signing. Downloadable Developer ID-signed and notarized binaries are optional future maintainer work, not a requirement for contributors or local use.
 

Docs/FUTURE_ENDPOINT_SECURITY.md

@@ -2,7 +2,7 @@
 
 Agentic Secrets does not require EndpointSecurity for the default local self-build release track. EndpointSecurity is a possible future provenance enhancement for maintainers who want stronger process-origin evidence than terminal environment hints or best-effort process-tree inspection can provide.
 
-The default product boundary remains unchanged: Agentic Secrets is a lower-leakage secret delivery system, not a general endpoint monitoring agent.
+The default product boundary remains unchanged: Agentic Secrets is a runtime secret protection system, not a general endpoint monitoring agent.
 
 ## What EndpointSecurity Adds
 

Docs/THREAT_MODEL.md

@@ -1,6 +1,6 @@
 # Agentic Secrets Threat Model
 
-Agentic Secrets is a macOS lower-leakage secret delivery system for developer machines.
+Agentic Secrets is a macOS runtime secret protection system for developer machines.
 
 It does not make arbitrary execution safe. It narrows how secrets are delivered, records why delivery was allowed, and prevents common plaintext leakage paths such as `.env`, shell profiles, shell history, inherited shell environment, MCP client configs, and provider tokens in process argv.
 

README.md

@@ -1,113 +1,57 @@
 # Agentic Secrets
 
-Version: `0.1.0 alpha`
+Agentic Secrets protects runtime secrets on macOS developer machines.
 
-Agentic Secrets is a macOS self-build tool for lower-leakage secret delivery on developer machines. Its core job is controlled delivery at runtime: deciding when, how, and to which local tool a stored secret may be released, with local approval through Touch ID or the local account password.
+It keeps long-lived provider tokens out of ambient places like `.env` files, shell startup files, MCP configs, and native CLI config files. Secrets are stored locally, released only for an approved runtime request, and tied to a specific tool, target binary identity, delivery context, and local authentication event.
 
-It keeps provider tokens out of `.env` files, shell startup files, MCP configs, and native CLI config files such as `hcloud`'s `cli.toml`. It does not make arbitrary command execution safe; it makes secret delivery explicit, narrow, locally approved, auditable, and fail-closed.
+Agentic Secrets does not sandbox commands or make target tools trustworthy. It protects the secret delivery boundary: when a secret may be released, to which local tool, through which mechanism, under which policy, and with what audit trail.
 
-This is an alpha release: expect breaking changes while the CLI, storage format, and trust model settle.
+## Why
+
+Developer tools often expect credentials to be present before they run. That pushes secrets into broad, sticky locations:
+
+- shell environments inherited by unrelated processes
+- `.env` files and shell rc files
+- MCP server configuration files
+- native CLI config files
+- ad hoc scripts and logs
+
+Agentic Secrets replaces ambient secret presence with explicit runtime delivery.
 
 ## How It Works
 
-- You register a CLI app once, for example `hcloud`, and pass the token through stdin.
-- Agentic Secrets stores the secret in a local encrypted store and keeps non-secret CLI metadata in its registry.
-- Each run validates the registered target binary identity before resolving the secret.
-- macOS LocalAuthentication is required before secret delivery. Depending on system state, macOS may ask for Touch ID, Apple Watch, or the local account password.
-- Successful CLI authentication creates a scoped authorization grant for matching runs. The default mode is `always`; `remember-24h`, `short`, and `once` are available per run. Persistent grants are signed with a device-local macOS Keychain key and are bound to the CLI, target identity, workspace, config context, untrusted origin hint, provenance confidence, delivery mode, and secret alias. Each command is still policy-checked before secret delivery, and destructive commands require fresh approval.
-- Trust changes, such as `trust-refresh` after a CLI upgrade, also require LocalAuthentication.
-- Registry tampering and target replacement fail closed before any secret is read.
+- Register a local tool and the secret bindings it may receive.
+- Store secret material in an owner-only encrypted local store.
+- Validate the target binary identity before each delivery.
+- Require macOS LocalAuthentication before secret release.
+- Reuse narrowly scoped delivery grants only when policy allows.
+- Fail closed on registry, policy, grant, or target identity tampering.
+- Write structured audit records without secret values.
 
-## Quick Install
+## Install
 
-Requirements: macOS Tahoe 26.x, SwiftPM, Xcode Command Line Tools or Xcode with the macOS 26 SDK.
+Requirements: macOS Tahoe 26.x, SwiftPM, and Xcode Command Line Tools or Xcode with the macOS 26 SDK.
 
 ```sh
 git clone https://github.com/CodeAlive-AI/agentic-secrets.git
 cd agentic-secrets
 ./scripts/install_local.sh --load --configure-shell
 ```
 
-Open a new terminal, or load the PATH change in the current one:
+Open a new terminal, then verify:
 
 ```sh
-source "$HOME/.zshrc"
 command -v agentic-secrets
-```
-
-Verify the local build:
-
-```sh
 agentic-secrets release-gates
 ```
 
-## hcloud Example
-
-Register `hcloud` without writing the token to `cli.toml`:
-
-```sh
-agentic-secrets cli register hcloud \
-  --env HCLOUD_TOKEN \
-  --secret-prompt
-```
-
-Run `hcloud` through Agentic Secrets:
-
-```sh
-agentic-secrets cli run hcloud -- server list
-```
-
-Choose authorization mode for one run:
-
-```sh
-agentic-secrets cli run hcloud --authorization-mode remember-24h -- server list
-agentic-secrets cli run hcloud --authorization-mode short --delivery-grant-ttl-seconds 300 -- server list
-agentic-secrets cli run hcloud --delivery-grant-ttl-seconds 0 -- server list
-```
-
-Optional: install a shim so `hcloud ...` itself routes through Agentic Secrets. This does not replace the Homebrew binary; it creates an Agentic Secrets shim directory that is placed before the native CLI on `PATH`.
-
-```sh
-agentic-secrets cli shim install hcloud --configure-shell
-```
-
-Open a new terminal, then use:
-
-```sh
-hcloud server list
-hcloud version
-```
-
-Normal commands go through Agentic Secrets secret delivery. Global help/version commands pass through without secret delivery.
-
-After a Homebrew upgrade of `hcloud`, verify the new binary and refresh trust:
-
-```sh
-agentic-secrets cli trust-refresh hcloud
-```
-
-### Codex App
-
-Codex App may not inherit the same shell startup environment as Terminal. Do not
-put `HCLOUD_TOKEN` into `~/.codex/.env`; that bypasses Agentic Secrets secret
-delivery. Instead, install the Agentic Secrets shim and make sure Codex resolves
-`hcloud` to the local shim path:
-
-```sh
-agentic-secrets cli shim install hcloud --force
-command -v hcloud
-```
-
-Expected path:
-
-```text
-~/Library/Application Support/AgenticSecrets/LocalInstall/shims/hcloud
-```
-
-## More
+## Documentation
 
-- Full install and troubleshooting: [Docs/INSTALLATION.md](Docs/INSTALLATION.md)
-- Operations guide: [Docs/OPERATIONS.md](Docs/OPERATIONS.md)
-- Acceptance criteria: [Docs/ACCEPTANCE_CRITERIA.md](Docs/ACCEPTANCE_CRITERIA.md)
-- Threat model: [Docs/THREAT_MODEL.md](Docs/THREAT_MODEL.md)
-- Developer/agent notes: [AGENTS.md](AGENTS.md)
+- [Installation](Docs/INSTALLATION.md)
+- [Operations](Docs/OPERATIONS.md)
+- [Threat model](Docs/THREAT_MODEL.md)
+- [Acceptance criteria](Docs/ACCEPTANCE_CRITERIA.md)
+- [Implementation map](Docs/IMPLEMENTATION_MAP.md)
+- [Ubiquitous language](Docs/THESAURUS.md)
+- [Contributing](CONTRIBUTING.md)
+- [Security policy](SECURITY.md)

ROADMAP.md

@@ -4,7 +4,7 @@ This roadmap describes post-alpha product directions. It is not a release
 commitment, but it should guide architecture decisions so short-term macOS work
 does not block Linux, Windows, or richer audit workflows later.
 
-Agentic Secrets remains a lower-leakage secret delivery system. It does not make
+Agentic Secrets remains a runtime secret protection system. It does not make
 arbitrary command execution safe. Future work should keep secret access explicit,
 narrow, approved, bounded, auditable, and fail-closed.