docs: rewrite CLI README

[NicolasRitouet]

Summary

• Rewrite tagline: "GitHub-native secrets management. Repo access = secret access."
• Add ASCII demo showing keyway init / keyway pull side-by-side (placeholder for GIF)
• Merge Install + Quick Start into one section (Homebrew primary, others in <details>)
• Add new Works with AI Assistants section: keyway run zero-trust + MCP Server (8 tools, 7 IDEs)
• Enrich Security: isolated Go crypto microservice mention, self-hostable
• Enrich Why Keyway: +AI support, +open-source bullets
• Add MCP Server + GitHub Action to Links section

Narrative flow: GitHub-native (hero) → AI/MCP (wow) → Open-source (trust) → DX (close)

Test plan

• Verify README renders correctly on GitHub (tables, collapsible, code blocks)
• Verify all links point to valid destinations
• Check dark mode rendering (no hardcoded colors)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Overhauled README with a clearer Quick Start flow and in-repo run examples showing secrets injection.
  • Shifted messaging to GitHub-native secrets and repository-based access; removed Slack-centric demos.
  • Added AI Assistant integration guidance and MCP Server overview.
  • Expanded security notes (self-hosting, At-Rest crypto, zero-trust considerations).
  • Consolidated install methods into an expandable section; reintroduced Environment Variables and “Why Keyway?”.
  • Updated development and resource links.

[coderabbitai]

📝 Walkthrough

Walkthrough

README.md was restructured: Problem/Solution replaced by a Quick Start with in-repo secrets injection, install methods consolidated, new "Works with AI Assistants" and "MCP Server" sections added, Environment Variables reinstated, and Security/Why Keyway/Development links expanded.

Changes

Cohort / File(s)

Summary

Documentation Restructuring README.md

Complete README overhaul: replaced Problem/Solution with Quick Start (in-repo secrets injection example), collapsed install instructions into Quick Start with "Other install methods", added "Works with AI Assistants" and "MCP Server" sections, reintroduced environment variables (KEYWAY_TOKEN, KEYWAY_API_URL, KEYWAY_DISABLE_TELEMETRY), expanded Security (Go crypto microservice, Docker Compose self-hosting), restored "Why Keyway?", and updated Development/Links.

Sequence Diagram(s)

(omitted — changes are documentation-only and do not introduce new multi-component runtime control flow)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• docs: fix README inconsistencies and outdated info #5: Overlapping README and CLI/environment docs changes (install URL, flag usage, KEYWAY_TOKEN) suggesting related documentation alignment.

Poem

🐰 I hopped through lines of docs today,
Quick Starts bloom where old bits lay,
Secrets tucked in repo nooks,
AI helpers reading all my books,
I munch, I cheer — hooray, hooray! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: rewrite CLI README' accurately reflects the main change—a comprehensive restructuring of the README.md file with new sections, messaging, and content organization.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/readme-rewrite

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@README.md`:
- Line 113: Update the README line that currently reads "Works with Claude Code,
VS Code, Cursor, Windsurf, Warp, GitHub Copilot, and Goose." to clarify GitHub
Copilot's partial MCP support: either annotate GitHub Copilot in-place to state
it supports only MCP "tools" (not "resources" or "prompts"), or move GitHub
Copilot into a separate "Partial MCP support" category and describe the
limitation; ensure the change references the existing string "Works with Claude
Code, VS Code, Cursor, Windsurf, Warp, GitHub Copilot, and Goose." so reviewers
can locate and verify the edit.

🧹 Nitpick comments (1)

README.md (1)

103-103: Clarify "8 tools" to avoid confusion.

Line 103 states "8 tools your AI assistant can use" which refers to MCP Server actions (generate, validate, scan, diff, inject, list, set, list environments), but this could be confused with the number of AI assistants listed on line 113 (7 tools: Claude Code, VS Code, Cursor, Windsurf, Warp, GitHub Copilot, Goose).

Consider rewording to: "8 MCP tools your AI assistant can use" or "8 secret management actions" to clarify these are MCP Server capabilities, not AI assistants.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@README.md`:
- Around line 14-22: Add a language identifier to the ASCII-art demo fenced code
block (the block that starts with the "You                          Teammate"
table) by changing the opening ``` to ```text (or ```plaintext) so the block is
properly rendered and satisfies markdown linting rules.
- Line 103: Replace the incorrect "8 tools" claim with an accurate statement
that the Keyway MCP server exposes 5 tools, and list them by their actual
exported names: keyway_list_secrets, keyway_get_secret, keyway_set_secret,
keyway_inject_run, and keyway_list_environments; update the sentence on line 103
(the one mentioning "generate, validate, scan, diff, inject, list, set, and list
environments") to instead state the five MCP tools and ensure the names match
the `@keywaysh/mcp` exports exactly.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@README.md`:
- Around line 135-137: The README contains an unsupported self-hosting claim
"Self-hostable — run the entire stack on your own infrastructure with Docker
Compose" which is misleading; either remove that sentence or replace it with an
accurate statement (e.g., "Hosted SaaS — currently available via
https://api.keyway.sh; self-hosting guide and Docker Compose are not provided")
and, if you intend to support self-hosting, add the actual Docker Compose files
and a documented guide and update the README to reference them; also update the
"security whitepaper" link text to a more accurate label like "Security
overview" if the linked page is not a formal whitepaper.

🧹 Nitpick comments (1)

README.md (1)

88-118: Consider adding a note about MCP Server security model.

The "Works with AI Assistants" section mentions that "values always masked" but doesn't explain how Keyway ensures values remain masked when AI assistants call the MCP tools. Adding a brief sentence about the masking mechanism would strengthen the security narrative and align with the detailed Security section below.

📝 Suggested addition

After line 103, consider adding:

5 tools your AI assistant can use — `keyway_list_secrets`, `keyway_get_secret`, `keyway_set_secret`, `keyway_inject_run`, and `keyway_list_environments` — with values always masked:

*Secret values are redacted in tool responses, so AI context never includes plaintext credentials.*

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for Docker Compose files
echo "=== Looking for Docker Compose files ==="
fd -t f -e yml -e yaml | grep -i compose

echo ""
echo "=== Searching for docker-compose specific files ==="
fd -type f "docker-compose" 

echo ""
echo "=== Checking for self-hosting and Docker Compose references in markdown ==="
rg -i "self.?host|docker.?compose" --type md -B 2 -A 2

echo ""
echo "=== Checking for security/whitepaper references ==="
rg -i "security" --type md -B 1 -A 1 | head -50

Repository: keywaysh/cli

Length of output: 1619

---

🌐 Web query:

keyway.sh security whitepaper

💡 Result:

I couldn’t find a standalone “security whitepaper” published under keyway.sh. Instead, Keyway documents its security model in these official pages:

• Keyway Security (website): architecture overview and claims such as an isolated (no-internet) crypto service, AES-256-GCM encryption, TLS 1.3, GitHub-native access control, audit trail, and open-source core. [1]
• Keyway Docs → Security: operational security features like activity logs, security alerts, and vulnerability reporting. [2]
• Keyway Docs → Getting Started (“How it works” diagram): high-level system diagram showing the isolated crypto service alongside the API and database. [3]

Sources:
[1] https://www.keyway.sh/security
[2] https://docs.keyway.sh/security
[3] https://docs.keyway.sh/

---

🌐 Web query:

keyway.sh docker compose self-hosting

💡 Result:

I couldn’t find any official Docker Compose self-hosting instructions for Keyway (keyway.sh). The published docs describe a hosted Keyway API (base URL https://api.keyway.sh/v1) that the CLI talks to, not a self-hostable server distribution or docker-compose.yml. [1], [2]. Their security page also describes their infrastructure as hosted (on Railway, EU), which further suggests it’s a SaaS offering rather than something you run yourself. [3]

If you actually meant Keygen (keygen.sh) (very similar name), that project has an official Docker Compose self-hosting guide, including running a setup profile and then docker compose up. [4]

Sources: [1] [2] [3] [4]

---

Remove or correct the misleading self-hosting claim in line 135.

The claim "Self-hostable — run the entire stack on your own infrastructure with Docker Compose" is not supported. No Docker Compose files exist in the repository, the README contains a <!-- TODO: add self-hosting guide link when docs page is live --> comment indicating documentation is missing, and the actual service operates as a hosted SaaS API. This claim is contradicted by your own service model (hosted on Railway, EU with a remote https://api.keyway.sh/v1 endpoint). Either add genuine self-hosting support with documented Docker Compose files and guides, or remove this claim to avoid misleading users.

Regarding the "security whitepaper" link on line 137: The referenced page (https://www.keyway.sh/security) exists but contains a security overview/claims summary rather than a formal whitepaper. Consider retitling the link accordingly if accuracy is important.

🤖 Prompt for AI Agents

In `@README.md` around lines 135 - 137, The README contains an unsupported
self-hosting claim "Self-hostable — run the entire stack on your own
infrastructure with Docker Compose" which is misleading; either remove that
sentence or replace it with an accurate statement (e.g., "Hosted SaaS —
currently available via https://api.keyway.sh; self-hosting guide and Docker
Compose are not provided") and, if you intend to support self-hosting, add the
actual Docker Compose files and a documented guide and update the README to
reference them; also update the "security whitepaper" link text to a more
accurate label like "Security overview" if the linked page is not a formal
whitepaper.