Security & Code Quality Hardening

This release focuses on security hardening and code quality improvements identified during a comprehensive codebase audit.

Security

• Eliminate deserialization risk: Replaced serialize()/unserialize() with json_encode()/json_decode() in cache encryption
• Timing-safe auth: Web server token comparison now uses hash_equals()
• Content Security Policy: Web UI now sends CSP headers restricting resource loading to same-origin

Code Quality

• Atomic rename with rollback: AbstractVault::rename() now rolls back if the delete step fails after creating the new key, preventing silent duplicates
• Single rename implementation: Web API controller now delegates to AbstractVault::rename() instead of reimplementing the logic
• Coverage reporting: Fixed phpunit.xml source directory (app → src)

Tests

• Added AbstractVaultRenameTest covering success, conflict, and rollback scenarios (461 total tests)

What's New

IAM Policy Generation (keep iam)

Keep can now generate a ready-to-use IAM policy JSON based on your actual configuration — no more manually editing example policies from the docs.

# Generate policy scoped to your workspace
keep iam

# Generate for all vaults and environments
keep iam --all

# Generate and open the AWS IAM console
keep iam --browser

The generated policy is tailored to your setup:

• Namespace-scoped — resources and tag conditions use your configured namespace
• Environment-scoped — SSM resource ARNs and Secrets Manager tag conditions are limited to your active environments
• Workspace-aware — respects your personal workspace configuration, so each team member gets a policy matching their access needs
• Multi-vault — combines SSM and Secrets Manager statements into a single policy when both are configured
• KMS-aware — includes the correct KMS key permissions (default or custom)

Improved Onboarding

The first-run experience is significantly smoother:

• Auto-init: Running keep in an uninitialized directory now launches the setup wizard automatically
• Guided flow: keep init now walks through vault setup → workspace configuration → IAM policy generation in one seamless flow
• AWS SDK detection: Vault drivers check for SDK availability and show clear install instructions if missing
• Credential pre-check: Uses STS GetCallerIdentity before running the full permission matrix, with clear guidance when credentials aren't configured
• Better errors: Missing vault configuration now shows actionable suggestions instead of generic errors

Documentation Audit

Comprehensive audit of all 22 documentation pages against source code, fixing 19 inaccuracies including incorrect option names, phantom flags, wrong command names, and an IAM policy tag mismatch that would have caused real policies to fail.

Changelog

• Add keep iam command with workspace-scoped IAM policy generation
• Add workspace and IAM policy offers to keep init setup flow
• Add IAM policy offer to keep vault:add
• Auto-redirect keep to init when uninitialized
• Add isAvailable() checks on vault drivers for missing AWS SDK
• Add AWS credential pre-check via STS before permission matrix
• Show actionable KeepException when no vaults configured
• Fix 19 documentation inaccuracies across 15 files
• Document keep iam command and updated onboarding flow

Changes

• Switched from --stage to --env option
• Renamed keep configure to keep init
• Simplified keep workspace:configure to keep workspace
• Various code improvements and documentation updates

Installation

composer global require stechstudio/keep:v1.0.0-beta.4

What's New

Runtime Secrets Injection

• New keep run command executes subprocesses with injected environment variables
• Secrets never touch disk - ideal for CI/CD and production deployments
• Supports templates for mixed static/secret configuration

Workspace Personalization

• Filter which vaults and stages appear in your workspace
• Personal settings stored locally, not committed to version control
• Useful for teams with many vaults/stages where developers work with subsets

Web UI Improvements

• Better handling for single-vault setups
• Dynamic column widths in diff view
• Persistent toggle states for masking and colors
• CSS fixes for long secret values

Other Changes

• Permissions now stored locally instead of in versioned config files
• Documentation restructured and streamlined
• Fixed packaged installation autoload paths

🚀 Keep Beta 2 - Web UI & Template Management

This introduces a comprehensive Web UI alongside the existing CLI, making secret management more accessible and visual.

✨ Highlights

Web UI

• Full-featured Vue 3 interface with dark theme
• Start with keep server command
• Complete CRUD operations with revision history
• Visual diff matrix for comparing across environments
• Import/Export support

Template Management

• CodeMirror-powered editor with syntax highlighting
• Live validation of {vault:key} placeholders
• Auto-generate templates from existing secrets
• Multiple strategies for missing secrets

🎯 Getting Started

# Start the web interface
keep server

# Or use CLI as before
keep shell
keep list

Note: This is a beta release. Please report any issues you encounter.

Keep v1.0.0-beta

Keep is your toolkit for secure, collaborative management of application secrets across environments and teams. This first beta release brings powerful features for managing secrets in AWS SSM Parameter Store and AWS Secrets Manager.

🚀 Key Features

Interactive Shell

• Context-aware shell for rapid secret management
• Tab completion for commands and secret names
• Persistent vault/stage context
• Command aliases (g for get, s for set, etc.)
• Built-in help system

Comprehensive CLI

• Intuitive commands for all secret operations
• Smart prompts when arguments aren't provided
• Helpful error messages with suggestions
• Works seamlessly in CI/CD pipelines

Multi-Vault Support

• AWS SSM Parameter Store driver
• AWS Secrets Manager driver
• Manage secrets across multiple vaults simultaneously
• Environment isolation (local, staging, production, custom stages)

📦 Core Commands

• keep shell - Launch the interactive shell
• keep set - Store secrets in vaults
• keep get - Retrieve individual secrets
• keep show - List all secrets in a stage
• keep copy - Copy secrets between stages/vaults (supports patterns)
• keep diff - Compare secrets across environments
• keep export - Export to .env files or process templates
• keep import - Import from .env files
• keep rename - Rename secrets while preserving values
• keep search - Search for text within secret values
• keep delete - Remove secrets
• keep verify - Verify vault setup and permissions
• keep info - Display configuration details

🎯 Perfect For

• Development Teams: Share secrets securely without committing to git
• DevOps: Manage secrets across multiple AWS accounts and regions
• CI/CD: Export secrets for deployments without hardcoding
• Multi-Environment Apps: Keep development, staging, and production secrets organized

📚 Template System

Keep includes a powerful template system for managing environment files:

# .env.template
APP_NAME=MyApp
DB_HOST={ssm:database-host}
DB_PASSWORD={secretsmanager:db-password}
API_KEY={vault:api-key}

Process templates with: keep export --template=.env.template --stage=production --file=.env

🔒 Security First

• Secrets never touch your git repository
• AWS IAM for authentication and authorization
• Encrypted storage in AWS vaults
• Masked values by default in output
• Audit trail in AWS CloudTrail

📦 Installation

composer require stechstudio/keep:^1.0.0-beta

🚦 Getting Started

# Configure Keep and your first vault
./vendor/bin/keep configure

# Verify everything is working
./vendor/bin/keep verify

# Start the interactive shell
./vendor/bin/keep shell

📖 Documentation

Full documentation available at https://stechstudio.github.io/keep/

Note: This is a beta release. While feature-complete and well-tested, we welcome feedback and bug reports via GitHub Issues.