Home
Multi-backend credential abstraction for solo Python developers.
himitsubako (秘密箱, "secret box") gives you one consistent Python API and CLI for credentials across SOPS+age, macOS Keychain, Bitwarden CLI, direnv, and environment variables. Named after Hakone puzzle boxes, which open through a sequence of sliding moves rather than a single key.
The problem is not your secrets manager. The problem is you have five of them.
API keys in .env files. OAuth tokens in macOS Keychain. Deploy credentials in Bitwarden. Database passwords in SOPS. Each project wires its own approach and none of them talk to each other. himitsubako routes each credential to the backend that makes sense for it and gives your code a single interface to all of them.
.secrets.enc.yaml to a public repo without leaking values. Readable diffs, single-command key rotation, and append-only audit logging for every rotate operation.
BackendRouter dispatches each credential to the right backend via .himitsubako.yaml, transparently to your code.
cd. All accessed through the same Python API and CLI.
hmb get refuses to print secrets to a TTY without --reveal. Encrypted files are written mode 0600. Bitwarden CLI stderr is redacted before surfacing in errors. Subprocess calls have 30-second timeouts. The library is around 1,000 lines of auditable Python.
HimitsubakoSettingsSource plugs into pydantic-settings as a first-class source. Declare your credentials as typed model fields and let the source resolve them through the backend router. No manual wiring, no os.environ calls.
Start using it
himitsubako is available on PyPI, conda-forge, and Homebrew.