with one click
gum-hasp
Use when a gum workflow needs local secrets protected by HASP.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Use when a gum workflow needs local secrets protected by HASP.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | gum-hasp |
| description | Use when a gum workflow needs local secrets protected by HASP. |
Use this when gum work also needs local secrets outside Google's OAuth flow.
gum handles Google API discovery, OAuth login, local refresh-token storage, and guarded API calls.
HASP handles repo, test, and deploy secrets for commands and agents.
Install HASP and run setup:
brew tap gethasp/homebrew-tap
brew install hasp
hasp setup
Read HASP at https://github.com/gethasp/hasp before changing secret policy.
Register gum OAuth secrets through stdin:
printf '%s' "$GOOGLE_OAUTH_CLIENT_SECRET" \
| gum auth use-oauth-client --client-id "$GOOGLE_OAUTH_CLIENT_ID" --secret-stdin
Put other secrets in HASP, then run gum under a short grant:
hasp secret add
hasp app connect gum-work --cmd 'gum doctor' --install=never
hasp run --project-root . \
--target gum-work \
--grant-project session \
--grant-secret session \
-- gum doctor --format=json
Keep secret values out of prompts, repo files, shell history, and agent notes.
Use gum for Google API calls. Use HASP for non-Google secrets the command needs. Give agents the narrowest HASP grant that lets the command run.
Run hasp secret diff .env before committing a repo that used to carry plaintext secrets.