secr — Secrets management & NHI governance

The plugin mostly matches its secrets-governance purpose, but it deserves Review because it handles tokens and secrets, audits every tool call, can fail open, and may write sensitive plugin config to a debug log.

Install only if you trust secr.dev with tool-call audit data and want it to govern agent tool use. Use a least-privilege SECR_AGENT_TOKEN, avoid storing tokens in plain config, do not enable SECR_PLUGIN_DEBUG on shared or production systems, and confirm whether your deployment should fail closed rather than fail open when gateway enforcement is unavailable.