Append a key to a prod .env without ever holding it locally
Activating a feature behind an API key on a remote production VM where the user has already placed the key in a separate file on the same host, and the key must not pass through your terminal or any tool-call output again.
Single SSH idempotent append: ssh host 'KEY=$(cat ~/.openai-key); grep -q "^OPENAI_API_KEY=" ~/apps/svc/.env || echo "OPENAI_API_KEY=$KEY" >> ~/apps/svc/.env'. The variable expansion happens entirely on the remote host, so the key never appears in your local shell, your terminal scrollback, ps output on the local box, or any tool-call transcript. The grep guard makes it safe to re-run. Pair with a confirmation line printing the line count (grep -c) so you know it landed without echoing the value. This beats scp (creates a second copy on disk needing cleanup) and beats inline export (puts the value in two process lists).
Whenever you need to wire an API key into a remote services env file and the key already lives on that same host, write a single ssh script that does the cat on the remote side; never carry the secret back through your local shell.