Metadata-Version: 2.4
Name: keynest
Version: 0.0.1
Summary: Developer secret workbench: a pure-Python keystore with GUI and CLI for OS keyring and AWS Secrets Manager
Project-URL: Repository, https://github.com/matthewdeanmartin/keynest
Project-URL: Documentation, https://keynest.readthedocs.io/en/latest/
Project-URL: Changelog, https://github.com/matthewdeanmartin/keynest/blob/main/CHANGELOG.md
Project-URL: homepage, https://github.com/matthewdeanmartin/keynest
Project-URL: issues, https://github.com/matthewdeanmartin/keynest/issues/
Author-email: Matthew Martin <matthewdeanmartin@gmail.com>
License-Expression: MIT
License-File: LICENSE
Keywords: aws,cli,credentials,developer-tools,gui,keyring,secrets,secrets-manager,tkinter,vault
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Requires-Python: >=3.11
Requires-Dist: boto3>=1.34.0
Requires-Dist: keyring>=24.0.0
Description-Content-Type: text/markdown

# keynest

Developer keystore that is pipx-installable and supports the OS keychain / credential
manager and AWS Secrets Manager — with both a CLI and a Tkinter GUI.

keynest is a **developer secret workbench**. It helps a single developer stop scattering
secrets across Notepad, stray `.env` files, shell history, and repo-adjacent config. It
manages *secret maps* (JSON dictionaries of keys to values) in either the laptop OS secret
store (via Python [`keyring`](https://pypi.org/project/keyring/)) or
[AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) (via `boto3`).

The guiding opinion: **make the safe path the easy path.** Instead of

```bash
export DATABASE_PASSWORD=...
```

prefer

```bash
keynest run my-app -- python app.py
```

See [spec/spec.md](spec/spec.md) for the full product specification.

## Prior Art

[aws-vault](https://github.com/ByteNess/aws-vault) is the best prior art and is recommended
over this tool for the moment. The main advantage of keynest will be that it is pure Python
and ships a GUI. keynest also borrows patterns shamelessly from `chamber`, SOPS, KeePassXC,
and the developer-docs-as-a-feature approach of Infisical / Doppler / 1Password.

## Installation

```bash
pipx install keynest
```

Or with pip:

```bash
pip install keynest
```

## Usage

```bash
keynest --help
```

> Note: keynest is in early development. The CLI and GUI described in the
> [spec](spec/spec.md) are not yet implemented — the package scaffold and quality gates
> are in place first.

## Contributing

See [CONTRIBUTING.md](docs/extending/CONTRIBUTING.md).

## License

MIT — see [LICENSE](LICENSE).

## Changelog

See [CHANGELOG.md](CHANGELOG.md).

## Current implementation

The implementation has moved beyond the early scaffold note above: both the CLI and Tkinter GUI are available, with
OS-keyring and AWS Secrets Manager backends. The specification remains useful as product history, while the
[user documentation](docs/index.md) describes the behavior and limitations of the current code.

The preferred installation is an isolated global tool environment:

```bash
uv tool install keynest
```

or:

```bash
pipx install keynest
```

The install provides `keynest` and `keynest-gui`. Start with:

```bash
keynest health
keynest --help
keynest-gui
```

The recommended usage path injects a map only into a child process:

```bash
keynest run my-app/dev -- python app.py
```

See the [documentation home](docs/index.md), [concepts and storage](docs/concepts.md), dedicated
[CLI reference](docs/usage/cli.md), [GUI guide](docs/usage/gui.md), [AWS guide](docs/aws.md), and
[security model](docs/security.md).

On Windows, keynest does not enumerate Credential Manager. It uses Python `keyring` to request exact entries under
its own `DeveloperSecretWorkbench` service and keeps a separate non-secret index for listing. Windows itself has a
credential-enumeration API, but keynest does not call it; this is an implementation boundary, not protection from
other software running as your user. Consequently, unrelated credentials stored by other applications do not appear
in keynest. The [storage documentation](docs/concepts.md#why-keynest-cannot-see-your-other-windows-credentials) has the
full explanation.
