Make leaked API keys worthless.

Your API key is split in two. Neither half works alone. The proxy enforces a hard spend cap before the key reconstructs — blow the budget, the key never forms, the request never leaves your machine.

curl -sSL https://worthless.sh | sh        # fresh machine — no Python needed
# or, if you already have Python 3.10+:
pipx install worthless

Then, in your project:

cd your-project
worthless

Detects keys in your .env, splits them, starts a local proxy. No code changes.

Piping a script from the internet into sh is a supply-chain risk. Read it first:

curl -sSL https://worthless.sh -o install.sh
less install.sh                                   # inspect, then run
sh install.sh

See docs/install-security.md for trust roots (what the installer talks to and what it verifies) and the kill-switch runbook.

$ worthless

  Found 2 API keys:
    OPENAI_API_KEY      openai
    ANTHROPIC_API_KEY   anthropic

  Lock these keys? [y/N] y
    OPENAI_API_KEY      locked
    ANTHROPIC_API_KEY   locked

  Proxy ready on 127.0.0.1:8787

1. worthless lock splits each API key into two shards using XOR
2. Shard A stays on your machine (encrypted). Shard B goes to the proxy database.
3. Your .env is rewritten with shard-A (format-preserving — looks like a real key but is cryptographically useless alone)
4. The proxy reconstructs the key only when the rules engine approves the request
5. Spend cap blown? The key never forms. The request never reaches the provider.

worthless              # Auto-detect, lock, start proxy (the magic)
worthless lock         # Lock keys in .env
worthless unlock       # Restore original keys
worthless scan         # Detect exposed keys without locking
worthless status       # Show proxy and key status
worthless up           # Start proxy (foreground)
worthless up -d        # Start proxy (background daemon)
worthless down         # Stop the proxy
worthless wrap <cmd>   # Run a command through the proxy
worthless revoke       # Revoke enrolled keys

docker run ghcr.io/shacharm2/worthless-proxy:<version> — multi-arch, vulnerability-scanned, cosign-signed. See docs/install-docker.md.

Worthless runs on POSIX hosts. The proxy relies on setsid, os.killpg, fd-based key transport, and signal-group shutdown — primitives that have no reliable native-Windows equivalent. Rather than degrade silently, the CLI refuses to start on native Windows and tells you how to run it under WSL or Docker.

WORTHLESS_WINDOWS_ACK=1 suppresses the soft warning on down; it does not bypass the hard gate on the other entry points.

Planned: native-Windows support (stdin Fernet key transport, Windows Job Objects, DETACHED_PROCESS) is tracked in WOR-237 — target v1.2. If you need it sooner or want to help, comment on the issue rather than patching around the guard locally.

curl worthless.sh | sh bootstraps uv and worthless with no Python required on the target host. Coverage (run via pytest -m docker):

All distros are pinned to linux/amd64 so arm64 hosts still exercise amd64 coverage. Per-distro verification runs verify_install.sh — checks resolved binary path, --version, --help (exercises lazy imports), and scans stderr for Traceback / ModuleNotFoundError.

$ worthless unlock
1 key(s) restored.

Original key is back. No trace.

repos:
  - repo: https://github.com/shacharm2/worthless
    rev: main
    hooks:
      - id: worthless-scan

Worthless ships a SKILL.md that tells Claude Code, Cursor, and Windsurf what commands are available. Agents use --json for structured output:

worthless status --json

git clone https://github.com/shacharm2/worthless && cd worthless
uv sync --extra dev --extra test
uv run pytest

• Security model -- threat model, invariants, known limitations
• Engineering docs -- internal developer documentation for the live codebase
• Engineering architecture -- current internal architecture overview
• Contributor security rules -- invariants all contributions must preserve
• SKILL.md -- agent discovery file

PRs welcome. Read CONTRIBUTING-security.md first.

AGPL-3.0