@keynv/cli 0.1.0-rc.22 → 0.1.0-rc.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +72 -50
- package/dist/index.js +313 -340
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,80 +1,88 @@
|
|
|
1
1
|
# @keynv/cli
|
|
2
2
|
|
|
3
|
-
>
|
|
3
|
+
> Self-hosted secrets vault for teams and AI-assisted development.
|
|
4
4
|
|
|
5
5
|
[](https://www.npmjs.com/package/@keynv/cli)
|
|
6
6
|
[](https://github.com/keynv-labs/keynv/blob/main/LICENSE)
|
|
7
7
|
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
! zsh history 5 likely secrets across 1 file
|
|
16
|
-
! Claude Code transcripts 62,306 likely secrets across 73 files
|
|
17
|
-
· Cursor logs clean
|
|
18
|
-
|
|
19
|
-
Total: 62,311 likely secrets across 74 files.
|
|
20
|
-
```
|
|
21
|
-
|
|
22
|
-
`doctor`, `scrub`, `shell`, and `watch` are fully local — no account, no server,
|
|
23
|
-
no network calls. Match previews are bounded to 3 characters; raw secret values
|
|
24
|
-
never appear in output.
|
|
8
|
+
Store your API keys, database URLs, and other secrets in one vault — hosted on
|
|
9
|
+
[keynv.dev](https://keynv.dev) or self-hosted — and reference them everywhere by
|
|
10
|
+
alias (`@project.env.key`) instead of the real value. `keynv` resolves aliases
|
|
11
|
+
into your app at runtime, so the real values never touch your code, your shell
|
|
12
|
+
history, or your AI agent's transcripts. Your agent sees
|
|
13
|
+
`@billing.prod.stripe_key`, never the key itself.
|
|
25
14
|
|
|
26
15
|
## Install
|
|
27
16
|
|
|
28
17
|
```bash
|
|
29
18
|
npm install -g @keynv/cli
|
|
30
|
-
keynv doctor
|
|
31
19
|
```
|
|
32
20
|
|
|
33
|
-
Prefer a standalone binary over Node? Every
|
|
21
|
+
Node 20+. Prefer a standalone binary over Node? Every
|
|
34
22
|
[release](https://github.com/keynv-labs/keynv/releases) publishes signed
|
|
35
23
|
executables for macOS / Linux / Windows with a `SHA256SUMS` manifest.
|
|
36
24
|
|
|
37
25
|
## Quick start
|
|
38
26
|
|
|
39
|
-
|
|
40
|
-
# 1. Find out where you're leaking (scan only — nothing is rewritten)
|
|
41
|
-
keynv doctor
|
|
27
|
+
### Option A · Use keynv.dev (hosted — fastest)
|
|
42
28
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
keynv scrub
|
|
29
|
+
1. Create a free account at [keynv.dev/register](https://keynv.dev/register).
|
|
30
|
+
2. Connect and set up your project:
|
|
46
31
|
|
|
47
|
-
|
|
48
|
-
keynv
|
|
49
|
-
|
|
32
|
+
```bash
|
|
33
|
+
keynv # pick "keynv.dev", then "Set up this project"
|
|
34
|
+
```
|
|
50
35
|
|
|
51
|
-
|
|
52
|
-
keynv watch start
|
|
53
|
-
keynv watch status
|
|
54
|
-
```
|
|
36
|
+
### Option B · Self-host
|
|
55
37
|
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
38
|
+
Run your own server + panel in ~15 minutes — see the
|
|
39
|
+
[Coolify walkthrough](https://github.com/keynv-labs/keynv/blob/main/deploy/COOLIFY.md)
|
|
40
|
+
or [Docker Compose guide](https://github.com/keynv-labs/keynv/blob/main/deploy/README.md).
|
|
41
|
+
Then run `keynv`, choose **Self-hosted server**, and enter your API URL.
|
|
60
42
|
|
|
61
|
-
|
|
43
|
+
> On a headless Linux box with no OS keychain (no libsecret), set
|
|
44
|
+
> `KEYNV_DISABLE_KEYCHAIN=1` before connecting — credentials then persist to an
|
|
45
|
+
> encrypted file instead of the system keychain.
|
|
62
46
|
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
47
|
+
### Then run your app — the way you already do
|
|
48
|
+
|
|
49
|
+
Setup imports your existing `.env` files into the vault and writes a committable
|
|
50
|
+
`.keynv.env` that maps your environment variables to aliases. It also wraps your
|
|
51
|
+
`package.json` scripts, so you just run them normally:
|
|
68
52
|
|
|
69
53
|
```bash
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
keynv secret create @demo.dev.api_key --value 'whatever'
|
|
73
|
-
keynv exec -- npm run dev # aliases resolved into the child, redacted from output
|
|
54
|
+
npm run dev # secrets injected automatically — no `keynv exec` to type
|
|
55
|
+
npm test
|
|
74
56
|
```
|
|
75
57
|
|
|
76
|
-
|
|
77
|
-
|
|
58
|
+
`.keynv.env` is safe to commit — it holds references, not values:
|
|
59
|
+
|
|
60
|
+
```bash
|
|
61
|
+
OPENAI_API_KEY=@myapp.dev.openai-key
|
|
62
|
+
DATABASE_URL=@myapp.prod.db-url
|
|
63
|
+
NODE_ENV=development # plain literals pass through unchanged
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
Behind the scenes your wrapped script runs `keynv exec -- <your command>`, which
|
|
67
|
+
resolves each `@alias` against the vault and forks your command with the real
|
|
68
|
+
values in a subprocess your editor and AI agent can't read — redacting them from
|
|
69
|
+
output. **You never type `keynv exec` yourself.**
|
|
70
|
+
|
|
71
|
+
Teams get project-scoped roles (owner / admin / developer / reader), per-secret
|
|
72
|
+
access, rotation, and a tamper-evident audit log — all managed from the CLI or
|
|
73
|
+
the web panel.
|
|
74
|
+
|
|
75
|
+
## Common commands
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
keynv # interactive TUI (projects, secrets, members)
|
|
79
|
+
keynv secret create # add a secret to the vault
|
|
80
|
+
keynv secret get @a.dev.key --copy # copy a value to the clipboard without printing it
|
|
81
|
+
keynv exec -- <cmd> # run a one-off command with aliases resolved
|
|
82
|
+
keynv member list <project> # who has access to a project
|
|
83
|
+
keynv whoami # who am I logged in as
|
|
84
|
+
keynv --help # full command list
|
|
85
|
+
```
|
|
78
86
|
|
|
79
87
|
## Use with Claude Code / Cursor (MCP)
|
|
80
88
|
|
|
@@ -83,11 +91,25 @@ never see the value. See the
|
|
|
83
91
|
[AI setup guide](https://github.com/keynv-labs/keynv/blob/main/docs/ai-setup.md)
|
|
84
92
|
for wiring it into Claude Code, Cursor, and other MCP clients.
|
|
85
93
|
|
|
94
|
+
## Also: clean up leaks you already have
|
|
95
|
+
|
|
96
|
+
Secrets already sitting in your shell history or AI transcripts? These commands
|
|
97
|
+
run entirely locally — no server or login needed:
|
|
98
|
+
|
|
99
|
+
```bash
|
|
100
|
+
keynv doctor # scan for leaked secrets (read-only, no network)
|
|
101
|
+
keynv scrub # clean them up, atomically, with backups
|
|
102
|
+
keynv watch start # scrub live AI-agent sessions in real time
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
Match previews are bounded to 3 characters; raw secret values never appear in
|
|
106
|
+
output.
|
|
107
|
+
|
|
86
108
|
## Documentation
|
|
87
109
|
|
|
88
110
|
- [Getting started](https://github.com/keynv-labs/keynv/blob/main/docs/getting-started.md)
|
|
89
111
|
- [AI setup (Claude Code / Cursor / MCP)](https://github.com/keynv-labs/keynv/blob/main/docs/ai-setup.md)
|
|
90
|
-
- [
|
|
112
|
+
- [Coolify deploy](https://github.com/keynv-labs/keynv/blob/main/deploy/COOLIFY.md)
|
|
91
113
|
- [Threat model](https://github.com/keynv-labs/keynv/blob/main/docs/02-threat-model.md)
|
|
92
114
|
- [Full README](https://github.com/keynv-labs/keynv#readme)
|
|
93
115
|
|