Developer secret workbench: a pure-Python keystore with GUI and CLI for OS keyring and AWS Secrets Manager
Project description
keynest
Developer keystore that is pipx-installable and supports the OS keychain / credential manager and AWS Secrets Manager — with both a CLI and a Tkinter GUI.
keynest is a developer secret workbench. It helps a single developer stop scattering
secrets across Notepad, stray .env files, shell history, and repo-adjacent config. It
manages secret maps (JSON dictionaries of keys to values) in either the laptop OS secret
store (via Python keyring) or
AWS Secrets Manager (via boto3).
The guiding opinion: make the safe path the easy path. Instead of
export DATABASE_PASSWORD=...
prefer
keynest run my-app -- python app.py
See spec/spec.md for the full product specification.
Prior Art
aws-vault is the best prior art and is recommended
over this tool for the moment. The main advantage of keynest will be that it is pure Python
and ships a GUI. keynest also borrows patterns shamelessly from chamber, SOPS, KeePassXC,
and the developer-docs-as-a-feature approach of Infisical / Doppler / 1Password.
Installation
pipx install keynest
Or with pip:
pip install keynest
Usage
keynest --help
Note: keynest is in early development. The CLI and GUI described in the spec are not yet implemented — the package scaffold and quality gates are in place first.
Contributing
See CONTRIBUTING.md.
License
MIT — see LICENSE.
Changelog
See CHANGELOG.md.
Current implementation
The implementation has moved beyond the early scaffold note above: both the CLI and Tkinter GUI are available, with OS-keyring and AWS Secrets Manager backends. The specification remains useful as product history, while the user documentation describes the behavior and limitations of the current code.
The preferred installation is an isolated global tool environment:
uv tool install keynest
or:
pipx install keynest
The install provides keynest and keynest-gui. Start with:
keynest health
keynest --help
keynest-gui
The recommended usage path injects a map only into a child process:
keynest run my-app/dev -- python app.py
See the documentation home, concepts and storage, dedicated CLI reference, GUI guide, AWS guide, and security model.
On Windows, keynest does not enumerate Credential Manager. It uses Python keyring to request exact entries under
its own DeveloperSecretWorkbench service and keeps a separate non-secret index for listing. Windows itself has a
credential-enumeration API, but keynest does not call it; this is an implementation boundary, not protection from
other software running as your user. Consequently, unrelated credentials stored by other applications do not appear
in keynest. The storage documentation has the
full explanation.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keynest-0.0.1.tar.gz.
File metadata
- Download URL: keynest-0.0.1.tar.gz
- Upload date:
- Size: 60.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8be2e14353a153042bef37d660486a814c0e9b27149d9f2fa0d545d0d60c233b
|
|
| MD5 |
d8e2711901163e1dbbb28381c4337f1a
|
|
| BLAKE2b-256 |
69251f26c5d0d112275de105ff9ebeceb4a7e675938f202519f14ba92dbe2a48
|
Provenance
The following attestation bundles were made for keynest-0.0.1.tar.gz:
Publisher:
release.yml on matthewdeanmartin/keynest
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keynest-0.0.1.tar.gz -
Subject digest:
8be2e14353a153042bef37d660486a814c0e9b27149d9f2fa0d545d0d60c233b - Sigstore transparency entry: 2024326495
- Sigstore integration time:
-
Permalink:
matthewdeanmartin/keynest@54caa49e48ae87a3f7099146edb9762fac0d858b -
Branch / Tag:
refs/tags/v0.0.1 - Owner: https://github.com/matthewdeanmartin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@54caa49e48ae87a3f7099146edb9762fac0d858b -
Trigger Event:
release
-
Statement type:
File details
Details for the file keynest-0.0.1-py3-none-any.whl.
File metadata
- Download URL: keynest-0.0.1-py3-none-any.whl
- Upload date:
- Size: 58.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b5892a8ee00642bd43adb8ce1ad535dfc8423ce4d1e66397f948076f4786041a
|
|
| MD5 |
3d28f9d4a66176807fbb0c8bacdc1d43
|
|
| BLAKE2b-256 |
3f9232c8a30a723dabba1a80c8a89996a79d4cb09d323b72f1a47934aa0e2e94
|
Provenance
The following attestation bundles were made for keynest-0.0.1-py3-none-any.whl:
Publisher:
release.yml on matthewdeanmartin/keynest
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keynest-0.0.1-py3-none-any.whl -
Subject digest:
b5892a8ee00642bd43adb8ce1ad535dfc8423ce4d1e66397f948076f4786041a - Sigstore transparency entry: 2024326626
- Sigstore integration time:
-
Permalink:
matthewdeanmartin/keynest@54caa49e48ae87a3f7099146edb9762fac0d858b -
Branch / Tag:
refs/tags/v0.0.1 - Owner: https://github.com/matthewdeanmartin
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@54caa49e48ae87a3f7099146edb9762fac0d858b -
Trigger Event:
release
-
Statement type: