From a1c82ee3a6ea0317fddf0f8401c68a31ea93262c Mon Sep 17 00:00:00 2001 From: Nicolas Ritouet Date: Fri, 6 Feb 2026 06:10:46 +0100 Subject: [PATCH 1/4] docs: rewrite README with GitHub-native hero, AI/MCP section, streamlined quick start MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restructure the CLI README around the strategy: GitHub-native (hero) → AI/MCP (wow) → Open-source (trust) → DX (close). - New tagline: "GitHub-native secrets management" - Add ASCII demo showing init/pull side-by-side - Merge Install + Quick Start (Homebrew primary, others in collapsible) - Add "Works with AI Assistants" section (keyway run + MCP Server) - Enrich Security (isolated crypto microservice, self-hostable mention) - Enrich Why Keyway (first-class AI support, fully open-source) - Add MCP Server and GitHub Action to Links Co-Authored-By: Claude Opus 4.6 --- README.md | 141 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 85 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index 3bc4003..4176777 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Keyway CLI -**Stop sharing `.env` files on Slack.** GitHub access = secret access. +**GitHub-native secrets management.** Repo access = secret access. [![Release](https://img.shields.io/github/v/release/keywaysh/cli?label=release&color=34D399)](https://github.com/keywaysh/cli/releases/latest) [![CI](https://github.com/keywaysh/cli/actions/workflows/ci.yml/badge.svg)](https://github.com/keywaysh/cli/actions/workflows/ci.yml) @@ -9,64 +9,54 @@ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) [![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=keywaysh/cli)](https://www.keyway.sh/vaults/keywaysh/cli) ---- - -## The Problem - -You're still doing this: -- Pasting secrets in Slack DMs -- Emailing `.env` files to new devs -- Rotating every secret when someone leaves -- Manually copying vars to Vercel/Railway/Netlify + -## The Solution - -```bash -keyway pull ``` - -That's it. If you have access to the repo, you have access to the secrets. No invites, no training, no friction. + You Teammate + ───────────────── ───────────────── + $ keyway init $ keyway pull + ✓ Logged in via GitHub ✓ Logged in via GitHub + ✓ Vault created ✓ Pulled 12 secrets + ✓ Pushed 12 secrets ✓ Wrote .env + Ready. Ready. +``` --- -## Install - -### Homebrew (macOS & Linux) +## Quick Start ```bash brew install keywaysh/tap/keyway ``` -### Install Script +
+Other install methods ```bash +# Install script (macOS & Linux) curl -fsSL https://keyway.sh/install.sh | sh -``` -### npx (no install) - -```bash +# npx (no install) npx @keywaysh/cli init -``` -### Direct download +# Direct download +# Grab the binary for your platform from Releases: +# https://github.com/keywaysh/cli/releases/latest +``` -Grab the binary for your platform from [Releases](https://github.com/keywaysh/cli/releases/latest). +
---- - -## Quick Start +Then, from your repo: ```bash -keyway init +keyway init # Create vault, push secrets ``` -This will: -1. Authenticate with GitHub -2. Create an encrypted vault for your repo -3. Push your local `.env` to the vault +A teammate clones the repo and runs: -New teammate joins? They run `keyway pull`. Done in 30 seconds. +```bash +keyway pull # Get secrets — 30 seconds from install to synced +``` --- @@ -76,6 +66,7 @@ New teammate joins? They run `keyway pull`. Done in 30 seconds. keyway init # First time: create vault, push secrets keyway push # Update remote secrets keyway pull # Get latest secrets +keyway diff # Compare local vs remote before pushing keyway sync vercel # Deploy to Vercel, Railway, Netlify ``` @@ -92,6 +83,37 @@ Secrets exist only in memory. When the process exits, they're gone. --- +## Works with AI Assistants + +AI coding agents can read your `.env` files. Keyway keeps secrets out of AI context. + +### `keyway run` — secrets never touch disk + +The AI sees command output but never secret values: + +```bash +keyway run -- npm test # AI sees "tests passed", not your DB password +keyway run -- npm run dev # Secrets in RAM only, invisible to agents +``` + +### MCP Server — AI manages secrets without seeing them + +8 tools your AI assistant can use — generate, validate, scan, diff, inject, list, set, and list environments — with values always masked: + +```bash +# Claude Code +claude mcp add keyway -- npx @keywaysh/mcp + +# VS Code / Cursor +code --add-mcp '{"name":"keyway","command":"npx","args":["@keywaysh/mcp"]}' +``` + +Works with Claude Code, VS Code, Cursor, Windsurf, Warp, GitHub Copilot, and Goose. + +[MCP Server docs →](https://github.com/keywaysh/keyway-mcp) · [AI agents guide →](https://docs.keyway.sh/ai-agents) + +--- + ## Security Your secrets are protected by: @@ -99,13 +121,15 @@ Your secrets are protected by: | Layer | Protection | |-------|------------| | **Encryption** | AES-256-GCM with random IV per secret | -| **At Rest** | Encrypted in database, keys in isolated service | +| **At Rest** | Encrypted in database, keys in isolated Go crypto microservice | | **In Transit** | TLS 1.3 everywhere | | **Access Control** | GitHub collaborator API — no separate user management | | **Audit Trail** | Every pull and view is logged with IP and location | We can't read your secrets. Even if our database leaks, attackers get encrypted blobs. +Self-hostable — run the entire stack on your own infrastructure with Docker Compose. + [Read our security whitepaper →](https://www.keyway.sh/security) --- @@ -131,25 +155,6 @@ We can't read your secrets. Even if our database leaks, attackers get encrypted --- -## Environment Variables - -| Variable | Description | -|----------|-------------| -| `KEYWAY_TOKEN` | Auth token for CI/CD (create in Dashboard > API Keys) | -| `KEYWAY_API_URL` | Custom API endpoint | -| `KEYWAY_DISABLE_TELEMETRY=1` | Disable anonymous analytics | - ---- - -## Why Keyway? - -- **30 seconds** to onboard a new developer -- **0 secrets** to rotate when someone leaves (just revoke GitHub access) -- **1 command** to deploy secrets to production -- **GitHub-native** — no new accounts, no new permissions to manage - ---- - ## CI/CD Use an API key for automation: @@ -177,6 +182,27 @@ Or use the [GitHub Action](https://github.com/keywaysh/keyway-action): --- +## Why Keyway? + +- **30 seconds** to onboard a new developer +- **0 secrets** to rotate when someone leaves (just revoke GitHub access) +- **1 command** to deploy secrets to production +- **GitHub-native** — no new accounts, no new permissions to manage +- **First-class AI support** — MCP server and zero-trust mode keep secrets out of AI context +- **Fully open-source** — MIT licensed, self-hostable, auditable + +--- + +## Environment Variables + +| Variable | Description | +|----------|-------------| +| `KEYWAY_TOKEN` | Auth token for CI/CD (create in Dashboard > API Keys) | +| `KEYWAY_API_URL` | Custom API endpoint | +| `KEYWAY_DISABLE_TELEMETRY=1` | Disable anonymous analytics | + +--- + ## Development ```bash @@ -197,6 +223,9 @@ Releases are automated via GoReleaser on tag push. - [Documentation](https://docs.keyway.sh) - [Dashboard](https://keyway.sh) - [Security](https://keyway.sh/security) +- [MCP Server](https://github.com/keywaysh/keyway-mcp) +- [GitHub Action](https://github.com/keywaysh/keyway-action) + - [Status](https://status.keyway.sh) --- From e3efb657eef89b4b8107b77809ff7adb631bf492 Mon Sep 17 00:00:00 2001 From: Nicolas Ritouet Date: Fri, 6 Feb 2026 06:21:34 +0100 Subject: [PATCH 2/4] docs: promote keyway run over keyway pull as default flow Encourage zero-trust mode (secrets in memory) over writing .env files. Co-Authored-By: Claude Opus 4.6 --- README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 4176777..2a3c0a8 100644 --- a/README.md +++ b/README.md @@ -9,16 +9,16 @@ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) [![Keyway Secrets](https://www.keyway.sh/badge.svg?repo=keywaysh/cli)](https://www.keyway.sh/vaults/keywaysh/cli) - + ``` You Teammate ───────────────── ───────────────── - $ keyway init $ keyway pull + $ keyway init $ keyway run -- npm start ✓ Logged in via GitHub ✓ Logged in via GitHub - ✓ Vault created ✓ Pulled 12 secrets - ✓ Pushed 12 secrets ✓ Wrote .env - Ready. Ready. + ✓ Vault created ✓ Injected 12 secrets + ✓ Pushed 12 secrets ✓ Server running + Ready. Ready. No .env on disk. ``` --- @@ -49,13 +49,14 @@ npx @keywaysh/cli init Then, from your repo: ```bash -keyway init # Create vault, push secrets +keyway init # Create vault, push secrets +keyway run -- npm start # Run with secrets injected, nothing on disk ``` A teammate clones the repo and runs: ```bash -keyway pull # Get secrets — 30 seconds from install to synced +keyway run -- npm start # Secrets injected — 30 seconds from install to running ``` --- @@ -64,8 +65,9 @@ keyway pull # Get secrets — 30 seconds from install to synced ```bash keyway init # First time: create vault, push secrets +keyway run # Run with secrets injected (nothing on disk) keyway push # Update remote secrets -keyway pull # Get latest secrets +keyway pull # Download secrets as .env (when you need the file) keyway diff # Compare local vs remote before pushing keyway sync vercel # Deploy to Vercel, Railway, Netlify ``` From 25b71301095e50a26ae48cfaca3ca4f32b318cec Mon Sep 17 00:00:00 2001 From: Nicolas Ritouet Date: Fri, 6 Feb 2026 19:48:22 +0100 Subject: [PATCH 3/4] docs: clarify GitHub Copilot partial MCP support --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2a3c0a8..bc3825e 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,9 @@ claude mcp add keyway -- npx @keywaysh/mcp code --add-mcp '{"name":"keyway","command":"npx","args":["@keywaysh/mcp"]}' ``` -Works with Claude Code, VS Code, Cursor, Windsurf, Warp, GitHub Copilot, and Goose. +Works with Claude Code, VS Code, Cursor, Windsurf, Warp, GitHub Copilot*, and Goose. + +*GitHub Copilot supports MCP tools only (not resources or prompts). [MCP Server docs →](https://github.com/keywaysh/keyway-mcp) · [AI agents guide →](https://docs.keyway.sh/ai-agents) From 149679596a6dd84139d7e30a55948763be3dfab2 Mon Sep 17 00:00:00 2001 From: Nicolas Ritouet Date: Sat, 7 Feb 2026 23:06:22 +0100 Subject: [PATCH 4/4] docs: fix code block language and correct MCP tools count - Add `text` language identifier to ASCII art code block - Fix "8 tools" claim to accurately list the 5 MCP tools Co-Authored-By: Claude Opus 4.6 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bc3825e..96b0d7a 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ -``` +```text You Teammate ───────────────── ───────────────── $ keyway init $ keyway run -- npm start @@ -100,7 +100,7 @@ keyway run -- npm run dev # Secrets in RAM only, invisible to agents ### MCP Server — AI manages secrets without seeing them -8 tools your AI assistant can use — generate, validate, scan, diff, inject, list, set, and list environments — with values always masked: +5 tools your AI assistant can use — `keyway_list_secrets`, `keyway_get_secret`, `keyway_set_secret`, `keyway_inject_run`, and `keyway_list_environments` — with values always masked: ```bash # Claude Code