Free for now while in alpha pre-release-candidate phase

Blog

What we shipped this week. New features, improvements, and the occasional war story.

The landing page finally looks like something we'd ship

The old landing page was fine. Clean, readable, got the point across. But 'fine' isn't really the aesthetic we're going for when the product is a cryptographic secret vault. So we rebuilt it: dark teal background, a terminal hero section that actually shows you what sirr looks like in the wild, and a color system that doesn't need to be manually kept in sync. The whole site now reads 'this was designed' rather than 'this was assembled.' Small thing, probably, but first impressions compound.

Highlights

  • New landing page with dark teal theme and terminal hero section
  • Full color tokenization — every hue now lives in one place
  • Use-case cards link to the right quickstart for your workflow
  • Content width consistent across landing page and docs

Three quickstarts walk into a bar

We had one quickstart page. It tried to serve the solo developer who just wants to test a secret locally, the DevOps engineer who needs patchable secrets in CI, and the platform team managing secrets across ten microservices — all at once. Predictably, it served none of them well. Today we split it into three: Solo Dev (you and your local sirrd), DevOps (patchable secrets, CI integration, the works), and Multi-Team (namespaced secrets with an audit trail). The main quickstart page is now a three-card hub that routes you to the right place in about three seconds. We also fixed some embarrassing config docs — turns out SIRR_MASTER_KEY had the wrong description, Python required 3.10+ not 3.8, and a handful of env var defaults were just wrong.

Highlights

  • Quickstart split into three persona pages: Solo Dev, DevOps, Multi-Team
  • Solo Dev guide: install locally, push a secret, connect MCP
  • DevOps guide: patchable secrets with TTL updates and CI pipeline examples
  • Multi-Team guide: namespaced secrets with audit log queries
  • Fixed SIRR_MASTER_KEY description and corrected SDK version requirements

One server, many tenants

Multi-tenancy landed across the entire Sirr stack today. Previously, a Sirr instance was a single flat namespace — great for solo use, awkward the moment you needed to separate production secrets from staging, or team A's keys from team B's. Now every secret belongs to a tenant, every API key is scoped to a tenant, and the audit log shows you exactly who did what and where. We documented the whole thing end-to-end: API changes, CLI flags, SDK updates, MCP tool parameters, the n8n and OpenClaw integration pages, and the architecture diagram that explains how tenants fit into the request path. It was a big docs day.

Highlights

  • Multi-tenant support documented across API, CLI, all SDKs, and MCP
  • Tenant-scoped API keys with per-tenant permission isolation
  • Updated architecture page with tenant request flow diagram
  • n8n and OpenClaw integration docs updated for multi-tenant usage
  • Licensing page updated to reflect per-tenant secret limits

We have a real name now

The project started as SecretDrop, then lived at sirrvault.com for a while. Today we completed the move to sirrlock.com — new org on GitHub, new Docker registry paths, new Homebrew formula names, new everything. If you bookmarked anything under the old names, the redirects are in place, but update your references when you get a chance. On the actual-features side: we shipped dedicated integration pages for n8n and OpenClaw, so if you're using Sirr as a secret step in a workflow automation or an AI agent pipeline, there's now a proper guide for that. We also added OpenGraph images so links to sirr.dev actually look like something when you paste them into Slack.

Highlights

  • Full rebrand from SirrVault/sirrvault to sirrlock across all docs and install paths
  • New n8n integration page — use Sirr as a secret storage step in workflows
  • New OpenClaw integration page — AI agent pipelines with burn-after-read secrets
  • OpenGraph images for all pages — links now preview properly in Slack and Discord
  • GitHub org, GHCR registry, Homebrew tap, and Scoop bucket all updated

One command to install everything

Installing sirrd used to mean hunting through GitHub releases, picking the right binary for your OS, and hoping you remembered to add it to your PATH. Today we shipped get.sirr.dev — a single curl-pipe installer that detects your platform, downloads the right binary, and drops it in the right place. Homebrew, Scoop, Docker, and the curl script are all documented on the new Install page. Whatever your setup, there's now a clean one-liner for it.

Highlights

  • New Install page at sirr.dev/install covering all distribution channels
  • curl https://get.sirr.dev | sh — detects Linux/macOS, installs sirrd + sirr
  • Homebrew tap: brew install sirrlock/tap/sirrd sirrlock/tap/sirr
  • Scoop bucket for Windows: scoop install sirrlock/sirrd sirrlock/sirr
  • Docker: ghcr.io/sirrlock/sirrd for container deployments

Two binaries, one purpose, a lot of documentation

This was a big docs day. We finished formalizing the sirrd/sirr split — sirrd is the server daemon (think: mongod, dockerd), sirr is the client CLI. They're separate binaries, separate installs, separate jobs. With that naming locked in, we rewrote the entire MCP page from scratch: 13 tools documented with working examples, error anchors for every failure mode, and burn-after-read demos in the AI workflows section. We also flipped the default port from 8080 to 39999 site-wide, which was not a small find-and-replace.

Highlights

  • sirrd vs sirr naming fully documented across all pages
  • Full MCP page: 13 tools with conversation examples and error codes
  • Burn-after-read pattern demonstrated in AI workflow examples
  • Default port changed from 8080 to 39999 throughout all docs
  • GHCR and Docker Hub image availability documented on deployment pages

Speak any language (almost)

Sirr now supports 10 languages across both the docs and the dashboard. We added cookie-based locale detection, a language switcher, and RTL support for Arabic. The docs site picks up your browser language automatically — or you can override it anytime. We also shipped full documentation for audit logs, webhooks, and scoped API keys with code examples in every SDK.

Highlights

  • 10-language i18n with automatic browser detection
  • New docs pages: Audit Logs, Webhooks, and API Keys
  • SDK examples for audit queries, webhook management, and key creation
  • Updated CLI reference with sirr audit and sirr keys commands

Webhooks, audit trails, and keeping an eye on things

Big day for visibility. The Sirr server now fires webhooks on every secret lifecycle event — created, read, expired, burned. Hook them up to Slack, PagerDuty, or your own automation. We also added a full audit log endpoint so you can trace exactly who accessed what and when. And for teams running multiple Sirr instances, the new instance heartbeat dashboard shows you which servers are online and when they last checked in.

Highlights

  • Webhook notifications for secret.created, secret.read, secret.expired, secret.burned
  • Append-only audit log with filterable queries
  • Online license validation with configurable cache
  • Instance heartbeat dashboard with status indicators

Secrets got a lot harder to steal

We shipped a major encryption upgrade. Every secret is now encrypted at rest with a server-generated key, and we added support for key rotation so you can cycle your encryption keys without downtime. The auth system also got an overhaul — you can now use scoped API keys with granular permissions instead of sharing the master key everywhere. Your CI pipeline can have read-only access to just the secrets it needs.

Highlights

  • Encryption-at-rest with server-generated keys
  • Key rotation support for zero-downtime secret re-encryption
  • Scoped API keys with read/write/delete/admin permissions
  • PATCH endpoint to update TTL and read limits on existing secrets
  • HEAD endpoint for checking secret existence without incrementing reads

Ship it (for real this time)

We spent the day getting the deployment pipeline right. Both the docs site and the dashboard now build as Docker images, ship to GHCR, and deploy automatically. Every build gets a traceable version number baked in — hit /api/version on either site and you'll see exactly which commit is running. Not glamorous work, but now we can ship multiple times a day without thinking about it.

Highlights

  • Automated Docker builds with multi-stage optimization
  • GHCR publishing with automatic public visibility
  • /api/version endpoint on every service for build traceability
  • One-command deploys to production

Day one — everything from scratch

We built the entire Sirr ecosystem in a single day. The Rust server went from first commit to full encryption, the Node.js SDK shipped, the MCP server for AI integration got wired up, and both the docs site and the SaaS dashboard went live. Also made it work on Docker with multi-arch support because nobody wants to think about whether their server is running on AMD or ARM.

Highlights

  • Sirr server: ChaCha20Poly1305 encryption, redb storage, full REST API
  • Node.js SDK with zero dependencies and native fetch
  • MCP server for Claude Code integration
  • Complete documentation site with 14 pages
  • SaaS dashboard with authentication and license management
  • Docker images for both amd64 and arm64