Corrections
A log of material corrections to published posts. What changed, when, why, and the commit SHA.
This page tracks material corrections to published posts in the KPM Launch series. The goal is to be explicit about what was wrong and what changed — not to hide history, but to make it auditable.
2026-04-22 — Parts 1 and 2: --strict flag status
Commit: d2bff19
Posts affected:
- Part 1: I had 47 places I stored secrets. Then I built this.
- Part 2: Your .env files are a liability — even when they never leave your machine
What was wrong:
Both posts described kpm run --strict in a way that implied the flag enforces per-decrypt server-side policy as of KPM v0.2.0. This was inaccurate.
The actual state at v0.2.0:
- The
--strictflag parses in KPM v0.2.0 (strictFlag := fs.Bool("strict", false, ...)incmd/kpm/main.go). - The flag value is accepted but the per-decrypt policy enforcement — where every decrypt request round-trips to AgentKMS and is individually audited — is reserved for v0.3.0. The v0.2.0 code comment at line 556 reads:
_ = strict // strict mode reserved for future validation enforcement.
Part 2 specifically said: “kpm run --strict is where every decrypt request round-trips over mTLS to AgentKMS, gets individually audited, and can be denied in real time by server-side policy.” This is accurate for v0.3.0 behavior, but the post presented it as shipping alongside the rest of the v0.2.0 story without an explicit status note.
What changed:
- Added
narrative_claimsblocks to both posts documenting the distinction. - Added
corrected: truefront-matter and the correction banner visible on both posts. - The post bodies were not edited — the existing text remains for historical accuracy. The banner and the corrections log (this page) are the transparency mechanism.
Why this matters:
A reader who downloaded KPM v0.2.0 and ran kpm run --strict would see the flag accepted with no error but without the per-decrypt AgentKMS round-trips. That gap between “flag parses” and “flag enforces” is the kind of claim that needed explicit disclosure.
Evidence:
The relevant code at v0.2.0 is in cmd/kpm/main.go:
strictFlag := fs.Bool("strict", false, "enable strict ciphertext mode")
...
_ = strict // strict mode reserved for future validation enforcement
The per-decrypt enforcement lands in AgentKMS v0.3.0 and the KPM v0.3.x series that integrates it.
2026-04-22 (evening) — Parts 1 and 2: --strict and --secure shipped
Posts affected:
- Part 1: I had 47 places I stored secrets. Then I built this.
- Part 2: Your .env files are a liability — even when they never leave your machine
What was wrong:
Earlier on 2026-04-22, both posts were updated to say --strict would ship in v0.3.0 and --secure was on the way. Later that same day we cut KPM v0.2.1 and AgentKMS v0.3.1, which actually deliver both features. The morning’s hedge language was correct when written, but by evening the posts understated what a reader could actually run.
What changed:
- Part 1 — the roadmap line under “v0.3 ships:” was updated to reflect the actual KPM v0.2.1 release (prebuilt binaries,
--secure,--strict, all shipping today rather than “coming”). Added explicit cross-references to Parts 4 and 5 for the deep dives. - Part 2 — the
--strictbullet in the “that’s too convenient” section was updated from “ships in v0.3.0” to “shipped in KPM v0.2.1 + AgentKMS v0.3.1” with the honest point-version numbers.
Why this matters:
A reader pasting kpm run --strict after reading the earlier-today version of Part 2 would see it work and wonder why the post said it doesn’t yet. The operational story the v0.3 launch is making is “what we ship matches what we say” — this kept that commitment.
Evidence:
Release pages:
- KPM v0.2.1 — tagged 2026-04-22
- AgentKMS v0.3.1 — tagged 2026-04-22
This page is maintained manually. Each entry corresponds to a commit that added or changed the corrected: true flag on one or more posts.