Watch mode

Global flags

Flag	Default	Description
--data-dir	~/.keyledger	Directory for keyledger.db (overrides $KEYLEDGER_HOME)

watch

Run continuously: collect keys, save to the database, and dump a JSON file on every tick. Stops cleanly on SIGINT / SIGTERM.

keyledger watch
keyledger watch --interval 30m --output /var/log/keyledger
keyledger --data-dir /mnt/data watch --interval 1h

Flag	Default	Description
-i, --interval	1h	Collection interval (Go duration string: 30m, 1h, 6h)
-o, --output	(snapshot_dir from config)	Directory for snapshot JSON files
--unseal-addr	127.0.0.1:9876	Bind address for the unseal HTTP API

Each tick prints a summary line:

[2026-05-11 03:00:00] snapshot #12 — 47 keys (0 critical, 2 warnings) → /var/log/keyledger/snapshot-20260511T030000.json

Note

--output controls where snapshot JSON files are written. The database (keyledger.db) lives separately in --data-dir / $KEYLEDGER_HOME. The startup line watch: store: … shows you exactly which database is in use.

Unseal API

In Docker or headless environments where no terminal is available, watch automatically starts an HTTPS API so the encryption password can be supplied at runtime. The server uses an ephemeral self-signed certificate (ECDSA P-256, valid 24 h).

Startup output:

watch: store:  /data
watch: unseal API listening on https://0.0.0.0:9876
watch: TLS cert fingerprint (SHA-256): AB:CD:EF:…
watch: waiting for unseal — POST /v1/unseal with your password

Endpoint	Method	Body	Description
/v1/status	GET	—	{"sealed":bool,"setup":bool}
/v1/providers	GET	—	Provider list with expected credential field names
/v1/init	POST	{"password":"…"}	Initialise encryption and unseal (first run)
/v1/unseal	POST	{"password":"…"}	Unseal an already-initialised store
/v1/credentials	POST	{"provider":"…","field":"…","value":"…"}	Store a credential
/v1/credentials	DELETE	{"provider":"…","field":"…"}	Remove a credential

Use GET /v1/providers to discover field names before posting credentials:

curl -sk https://localhost:9876/v1/providers
# [
#   {"provider":"anthropic","fields":["admin_key"]},
#   {"provider":"aws","fields":["access_key_id","secret_access_key","sso_creds"]},
#   {"provider":"google","fields":["service_account_json"]},
#   {"provider":"openai","fields":["admin_key"]}
# ]

Note: -sk skips certificate verification for the self-signed cert. For stricter usage, extract the SHA-256 fingerprint printed at startup and pass it to curl --pinnedpubkey sha256//<base64>.