-
Notifications
You must be signed in to change notification settings - Fork 1
docs: rewrite CLI README #9
Changes from 2 commits
a1c82ee
e3efb65
25b7130
1496795
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| # Keyway CLI | ||
|
|
||
| **Stop sharing `.env` files on Slack.** GitHub access = secret access. | ||
| **GitHub-native secrets management.** Repo access = secret access. | ||
|
|
||
| [](https://github.com/keywaysh/cli/releases/latest) | ||
| [](https://github.com/keywaysh/cli/actions/workflows/ci.yml) | ||
|
|
@@ -9,73 +9,66 @@ | |
| [](LICENSE) | ||
| [](https://www.keyway.sh/vaults/keywaysh/cli) | ||
|
|
||
| --- | ||
|
|
||
| ## The Problem | ||
|
|
||
| You're still doing this: | ||
| - Pasting secrets in Slack DMs | ||
| - Emailing `.env` files to new devs | ||
| - Rotating every secret when someone leaves | ||
| - Manually copying vars to Vercel/Railway/Netlify | ||
| <!-- TODO: replace with a 15s GIF of `keyway init` → `keyway run` --> | ||
|
|
||
| ## The Solution | ||
|
|
||
| ```bash | ||
| keyway pull | ||
| ``` | ||
|
|
||
| That's it. If you have access to the repo, you have access to the secrets. No invites, no training, no friction. | ||
| You Teammate | ||
| ───────────────── ───────────────── | ||
| $ keyway init $ keyway run -- npm start | ||
| ✓ Logged in via GitHub ✓ Logged in via GitHub | ||
| ✓ Vault created ✓ Injected 12 secrets | ||
| ✓ Pushed 12 secrets ✓ Server running | ||
| Ready. Ready. No .env on disk. | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## Install | ||
|
|
||
| ### Homebrew (macOS & Linux) | ||
| ## Quick Start | ||
|
|
||
| ```bash | ||
| brew install keywaysh/tap/keyway | ||
| ``` | ||
|
|
||
| ### Install Script | ||
| <details> | ||
| <summary>Other install methods</summary> | ||
|
|
||
| ```bash | ||
| # Install script (macOS & Linux) | ||
| curl -fsSL https://keyway.sh/install.sh | sh | ||
| ``` | ||
|
|
||
| ### npx (no install) | ||
|
|
||
| ```bash | ||
| # npx (no install) | ||
| npx @keywaysh/cli init | ||
| ``` | ||
|
|
||
| ### Direct download | ||
| # Direct download | ||
| # Grab the binary for your platform from Releases: | ||
| # https://github.com/keywaysh/cli/releases/latest | ||
| ``` | ||
|
|
||
| Grab the binary for your platform from [Releases](https://github.com/keywaysh/cli/releases/latest). | ||
| </details> | ||
|
|
||
| --- | ||
|
|
||
| ## Quick Start | ||
| Then, from your repo: | ||
|
|
||
| ```bash | ||
| keyway init | ||
| keyway init # Create vault, push secrets | ||
| keyway run -- npm start # Run with secrets injected, nothing on disk | ||
| ``` | ||
|
|
||
| This will: | ||
| 1. Authenticate with GitHub | ||
| 2. Create an encrypted vault for your repo | ||
| 3. Push your local `.env` to the vault | ||
| A teammate clones the repo and runs: | ||
|
|
||
| New teammate joins? They run `keyway pull`. Done in 30 seconds. | ||
| ```bash | ||
| keyway run -- npm start # Secrets injected — 30 seconds from install to running | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## How It Works | ||
|
|
||
| ```bash | ||
| keyway init # First time: create vault, push secrets | ||
| keyway run # Run with secrets injected (nothing on disk) | ||
| keyway push # Update remote secrets | ||
| keyway pull # Get latest secrets | ||
| keyway pull # Download secrets as .env (when you need the file) | ||
| keyway diff # Compare local vs remote before pushing | ||
| keyway sync vercel # Deploy to Vercel, Railway, Netlify | ||
| ``` | ||
|
|
||
|
|
@@ -92,20 +85,53 @@ Secrets exist only in memory. When the process exits, they're gone. | |
|
|
||
| --- | ||
|
|
||
| ## Works with AI Assistants | ||
|
|
||
| AI coding agents can read your `.env` files. Keyway keeps secrets out of AI context. | ||
|
|
||
| ### `keyway run` — secrets never touch disk | ||
|
|
||
| The AI sees command output but never secret values: | ||
|
|
||
| ```bash | ||
| keyway run -- npm test # AI sees "tests passed", not your DB password | ||
| keyway run -- npm run dev # Secrets in RAM only, invisible to agents | ||
| ``` | ||
|
|
||
| ### MCP Server — AI manages secrets without seeing them | ||
|
|
||
| 8 tools your AI assistant can use — generate, validate, scan, diff, inject, list, set, and list environments — with values always masked: | ||
|
coderabbitai[bot] marked this conversation as resolved.
Outdated
|
||
|
|
||
| ```bash | ||
| # Claude Code | ||
| claude mcp add keyway -- npx @keywaysh/mcp | ||
|
|
||
| # VS Code / Cursor | ||
| code --add-mcp '{"name":"keyway","command":"npx","args":["@keywaysh/mcp"]}' | ||
| ``` | ||
|
|
||
| Works with Claude Code, VS Code, Cursor, Windsurf, Warp, GitHub Copilot, and Goose. | ||
|
coderabbitai[bot] marked this conversation as resolved.
Outdated
|
||
|
|
||
| [MCP Server docs →](https://github.com/keywaysh/keyway-mcp) · [AI agents guide →](https://docs.keyway.sh/ai-agents) | ||
|
|
||
| --- | ||
|
|
||
| ## Security | ||
|
|
||
| Your secrets are protected by: | ||
|
|
||
| | Layer | Protection | | ||
| |-------|------------| | ||
| | **Encryption** | AES-256-GCM with random IV per secret | | ||
| | **At Rest** | Encrypted in database, keys in isolated service | | ||
| | **At Rest** | Encrypted in database, keys in isolated Go crypto microservice | | ||
| | **In Transit** | TLS 1.3 everywhere | | ||
| | **Access Control** | GitHub collaborator API — no separate user management | | ||
| | **Audit Trail** | Every pull and view is logged with IP and location | | ||
|
|
||
| We can't read your secrets. Even if our database leaks, attackers get encrypted blobs. | ||
|
|
||
| Self-hostable — run the entire stack on your own infrastructure with Docker Compose. | ||
|
|
||
| [Read our security whitepaper →](https://www.keyway.sh/security) | ||
|
Comment on lines
+135
to
137
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Check for Docker Compose files
echo "=== Looking for Docker Compose files ==="
fd -t f -e yml -e yaml | grep -i compose
echo ""
echo "=== Searching for docker-compose specific files ==="
fd -type f "docker-compose"
echo ""
echo "=== Checking for self-hosting and Docker Compose references in markdown ==="
rg -i "self.?host|docker.?compose" --type md -B 2 -A 2
echo ""
echo "=== Checking for security/whitepaper references ==="
rg -i "security" --type md -B 1 -A 1 | head -50Repository: keywaysh/cli Length of output: 1619 🌐 Web query:
💡 Result: I couldn’t find a standalone “security whitepaper” published under
Sources: 🌐 Web query:
💡 Result: I couldn’t find any official Docker Compose self-hosting instructions for Keyway (keyway.sh). The published docs describe a hosted Keyway API (base URL If you actually meant Keygen (keygen.sh) (very similar name), that project has an official Docker Compose self-hosting guide, including running a Sources: [1] [2] [3] [4] Remove or correct the misleading self-hosting claim in line 135. The claim "Self-hostable — run the entire stack on your own infrastructure with Docker Compose" is not supported. No Docker Compose files exist in the repository, the README contains a Regarding the "security whitepaper" link on line 137: The referenced page (https://www.keyway.sh/security) exists but contains a security overview/claims summary rather than a formal whitepaper. Consider retitling the link accordingly if accuracy is important. 🤖 Prompt for AI Agents |
||
|
|
||
| --- | ||
|
|
@@ -131,25 +157,6 @@ We can't read your secrets. Even if our database leaks, attackers get encrypted | |
|
|
||
| --- | ||
|
|
||
| ## Environment Variables | ||
|
|
||
| | Variable | Description | | ||
| |----------|-------------| | ||
| | `KEYWAY_TOKEN` | Auth token for CI/CD (create in Dashboard > API Keys) | | ||
| | `KEYWAY_API_URL` | Custom API endpoint | | ||
| | `KEYWAY_DISABLE_TELEMETRY=1` | Disable anonymous analytics | | ||
|
|
||
| --- | ||
|
|
||
| ## Why Keyway? | ||
|
|
||
| - **30 seconds** to onboard a new developer | ||
| - **0 secrets** to rotate when someone leaves (just revoke GitHub access) | ||
| - **1 command** to deploy secrets to production | ||
| - **GitHub-native** — no new accounts, no new permissions to manage | ||
|
|
||
| --- | ||
|
|
||
| ## CI/CD | ||
|
|
||
| Use an API key for automation: | ||
|
|
@@ -177,6 +184,27 @@ Or use the [GitHub Action](https://github.com/keywaysh/keyway-action): | |
|
|
||
| --- | ||
|
|
||
| ## Why Keyway? | ||
|
|
||
| - **30 seconds** to onboard a new developer | ||
| - **0 secrets** to rotate when someone leaves (just revoke GitHub access) | ||
| - **1 command** to deploy secrets to production | ||
| - **GitHub-native** — no new accounts, no new permissions to manage | ||
| - **First-class AI support** — MCP server and zero-trust mode keep secrets out of AI context | ||
| - **Fully open-source** — MIT licensed, self-hostable, auditable | ||
|
|
||
| --- | ||
|
|
||
| ## Environment Variables | ||
|
|
||
| | Variable | Description | | ||
| |----------|-------------| | ||
| | `KEYWAY_TOKEN` | Auth token for CI/CD (create in Dashboard > API Keys) | | ||
| | `KEYWAY_API_URL` | Custom API endpoint | | ||
| | `KEYWAY_DISABLE_TELEMETRY=1` | Disable anonymous analytics | | ||
|
|
||
| --- | ||
|
|
||
| ## Development | ||
|
|
||
| ```bash | ||
|
|
@@ -197,6 +225,9 @@ Releases are automated via GoReleaser on tag push. | |
| - [Documentation](https://docs.keyway.sh) | ||
| - [Dashboard](https://keyway.sh) | ||
| - [Security](https://keyway.sh/security) | ||
| - [MCP Server](https://github.com/keywaysh/keyway-mcp) | ||
| - [GitHub Action](https://github.com/keywaysh/keyway-action) | ||
| <!-- TODO: add self-hosting guide link when docs page is live --> | ||
| - [Status](https://status.keyway.sh) | ||
|
|
||
| --- | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.