Add KeePassXC Secret Adapter with CI Passthrough Support

[jonyoi]

Adds a KeePassXC adapter. Unlike cloud-based managers (1Password), KeePassXC is local-only.

https://keepassxc.org
https://github.com/keepassxreboot/keepassxc

This implements a 'Passthrough' strategy: the adapter functions securely using the KeePassXC CLI locally, but when running in CI environments (GitHub Actions, GitLab, etc.), it seamlessly falls back to environment-provided secrets. This removes the need for conditional logic in deployment scripts.

Benefits:

Zero Config: Developers can use a single, unified .kamal/secrets file for both local development and CI pipelines.

Security Best Practice: Eliminates the temptation to commit binary .kdbx database files to the repository for CI access.

Fail Fast: In CI mode, the adapter explicitly raises an error if a requested secret is missing from the environment, preventing silent failures during deployment.

This enables a consistent, local-first, offline-friendly secret management setup without sacrificing CI/CD automation — perfect for a solo developer. KeePassXC’s encrypted database (.kdbx) file can live in an iCloud or Google Drive–synced folder if you want cloud backups, while still keeping everything local-first by default.

Usage Example

.kamal/secrets

# Works seamlessly on Local Machine AND GitHub Actions
SECRETS=$(kamal secrets fetch --adapter keepassxc --account $HOME/Path/To/Secrets.kdbx --from entry-title-here RAILS_MASTER_KEY KAMAL_REGISTRY_PASSWORD ANY_OTHER_ATTRIBUTE_SAVED_IN_ADVANCE_TAB_OF_AN_ENTRY

RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
ANY_OTHER_ATTRIBUTE_SAVED_IN_ADVANCE_TAB_OF_AN_ENTRY=$(kamal secrets extract ANY_OTHER_ATTRIBUTE_SAVED_IN_ADVANCE_TAB_OF_AN_ENTRY ${SECRETS})

Happy to submit a PR to update these docs if this is merged.
https://kamal-deploy.org/docs/commands/secrets/
https://github.com/basecamp/kamal-site/blob/main/docs/commands/secrets.md

[djmb]

Thanks for the PR @jonyoi, I've added some feedback.

[jonyoi]

Thanks for the review!

Environment Password: You were absolutely right to flag ENV["KEEPASS_PWD"]. Looks like it was remnant code.

CI / Passthrough: I also removed the explicit ci_mode? checks. However, to support CI environments (where the CLI is missing but secrets are injected via Actions), I implemented a graceful fallback: if the CLI is missing, it attempts to read the requested secrets (e.g. RAILS_MASTER_KEY) from ENV before raising an error.

Does that sound like an acceptable approach? It allows the adapter to work in CI without users needing to modify other config files.